OneDrive Ransomware: Protection, Attack Sources, and Recovery

OneDrive Ransomware and How to Protect Against It?

Saving files to OneDrive is convenient and easy. That convenience, though, misleads uninformed users into thinking that OneDrive can be treated as some ransomware-proof backup.

Ransomware infection is a widespread problem nowadays—a new attack occurs approximately every 14 seconds. As one of the leading anti-ransomware solutions providers, we would like to share our view on this issue.

Protect your OneDrive against ransomware with AI-based tool

Get SpinOne

Before jumping in, let’s clarify one misconception that leads to many OneDrive files getting corrupted:

OneDrive is not your backup.

 It is cloud storage (you can read about the difference here), managed by you, which makes it subject to various security threats. Ransomware is one of them. So what happens when ransomware infects your OneDrive? How to protect files from ransomware? And what you can do to restore your files and secure them from malware in the future? Let’s find out.

Sources of OneDrive Ransomware

Ransomware is a type of malware that infects your device and encrypts files on it, making them unavailable. To decrypt those files and regain access, you must pay a ransom, usually in Bitcoin.

The ransom payment can start from $300 for individual users and go up to a staggering $1 billion for enterprises and governmental organizations.  

Ransomware Statistics

How can ransomware infect OneDrive? There are three ways: 

  • Through OneDrive sync client. It synchronizes the files on your computer with OneDrive and copies all the file changes automatically. Therefore, if data on your computer gets corrupted with ransomware, these changes automatically spillover on your OneDrive through synchronization. 
  • Through permissions asking you to access One Drive. It can be different add-ons, extensions, and even links in phishing emails that require you to provide access to One Drive to perform. Here you can watch more about this method.
  • Through hacking the administrator’s account. If a threat actor sneaks into your One Drive environment through the admin account, consider all your data encrypted, leaked, or gone. Usually, the “invasion” of the OneDrive virus happens through a password spraying or tricking the administrator into giving out their credentials.

Related: 5 Pillars of OneDrive Security to Know About

Native OneDrive Ransomware Recovery & Its Limitations

So, you’ve caught OneDrive malware, and your files are ransomed. What to do next?

When OneDrive ransomware detected and you don’t have a backup, you can try to restore your files to the previous, clean versions. This option includes many limitations that we speak about in detail in the next section. But let’s assume you have avoided all of those limitations.

What to Do If  Ransomware Attacked Your OneDrive

To roll back your OneDrive files to the time before the attack:

1. Go to your OneDrive and log in with the correct account. 

2. If the account is personal, go to the top of the page and select Settings>Options and pick Restore your OneDrive. 

onedrive files restore after ransomware

In case you are signed in with a work or school account, press Settings>Restore your OneDrive.

3. When on the Restoration page, press on the arrow and choose a date from a dropdown list or customize the date and time. In our case, you restore files because of ransomware so that the system will suggest the most appropriate date.

4. The next step is to undo all activities that have caused the files’ restoration. It can be deletion or overwriting: in our case, it is malware.  You’ll be presented with the activity chat where you can review all the recent activities that have occurred with your files. You’ll see the volume of everyday file activities that happened in the last 30 days.

In case you decided to choose a custom date, pic the earliest activity you want to erase. All activities after that will be picked and undone automatically. But since they will be hidden, to review them before clicking Restore, you need to scroll to the top of the activity feed.

After that, the files on your OneDrive will be restored to the pre-ransomware state. In case you want to call off all the changes you did for some reason, you can repeat the procedure above, just include this action as the activity you want to undo.

But, of course, everything is not that simple. 

Limitations of OneDrive Files Restore

To be able to roll back your files like in the example above, you need to meet all the requirements and rules, which is often not the case.

1) If you have a standard OneDrive-for-business package or don’t have an Office 365 subscription, the Files Restore function is unavailable for you. In this case, backup is your only option.

2) Version history must be turned on. Otherwise, it is impossible to restore files from previous versions. To turn it on, go to the versioning configuration and enable versioning.

3) You can’t restore deleted files if they have been erased from the recycle bin. For example, if your shared files on OneDrive were hit by ransomware and then someone had deleted them and erased the recycle bin, you won’t be able to recover them. 

4) You can’t restore pictures.

5) If you reloaded some file or folder after deleting it, this file or folder wouldn’t be a part of the restore operation. 

6) Last but not least, many new strains of ransomware are capable of infiltrating the different file versions and infecting them, making all the rollback to the previous versions meaningless.

As you can see, even enabling the history versioning function can’t fully secure your OneDrive data when it comes to malware, deletions, or data corruption. Because, as we mentioned above, cloud storage is not a backup.

Find out how to backup OneDrive here.

How to Protect OneDrive From Ransomware and Data Loss

How safe is OneDrive in general? If you don’t use the necessary measures to protect it, it won’t be safe at all.

We strongly advise you to use the whole arsenal of protection. The solid OneDrive ransomware protection includes both the native abilities of Office 365 and third-party backup and ransomware protection software. Such tools will increase your chances to avoid ransomware and seamlessly restore your files in case of disaster. Otherwise, you can lose your top business asset at the click of a finger.

Check out SpinOne’s next-generation
ransomware protection for the cloud.

Try SpinSecurity for Office 365

The best practices of OneDrive ransomware protection include:

1. Set up filters in Office 365 email malware protection:

  • Forbid sending and receiving executable content like zip files;
  • Block JavaScript and VBScript attachments;
  • Block documents with micros;
  • Blacklist formats like.RTF, PPT, or.DOC.

All those formats are most often used as malware transmitters.

2. Set up anti-phishing policies in Office 365. Read the how-to here.

3. Train yourself and other users on what not to open or click. Start with the article 5 main sources of ransomwareand learn how to distinguish the threat. Taking some basic cybersecurity training (which is often free) is also a good idea and should be your next step.

4. Set up a third-party online backup that is immune to ransomware. In addition to OneDrive backup, our solution provides 24/7 ransomware protection. Our solution automatically detects ransomware, stops it from spreading, identifies and recovers the damaged files.

Here’s how we protect your OneDrive from ransomware attacks:

Read next: Why choose SpinOne to protect your cloud data from ransomware.

May your OneDrive be safe, and good luck!