Recover from a ransomware attack in Microsoft 365

Applies to

• Exchange Online Protection
• Microsoft Defender for Office 365 plan 1 and plan 2
• Microsoft 365 Defender

Even if you take every precaution to protect your organization, you can still fall victim to a ransomware attack. Ransomware is big business, and in today's threat landscape Microsoft 365 is an ever-increasing target for sophisticated attacks.

The steps in this article will give you the best chance to recover data and stop the internal spread of infection. Before you get started, consider the following items:

• There's no guarantee that paying the ransom will return access to your files. In fact, paying the ransom can make you a target for more ransomware.

  If you already paid, but you recovered without using the attacker's solution, contact your bank to see if they can block the transaction.

  We also recommend that you report the ransomware attack to law enforcement, scam reporting websites, and Microsoft as described later in this article.

• It's important for you respond quickly to the attack and its consequences. The longer you wait, the less likely it is that you can recover the affected data.

Step 1: Verify your backups

If you have offline backups, you can probably restore the encrypted data after you've removed the ransomware payload (malware) from your environment and after you've verified that there's no unauthorized access in your Microsoft 365 environments.

If you don't have backups, or if your backups were also affected by the ransomware, you can skip this step.

Step 2: Disable Exchange ActiveSync and OneDrive sync

The key point here is to stop the spread of data encryption by the ransomware.

If you suspect email as a target of the ransomware encryption, temporarily disable user access to mailboxes. Exchange ActiveSync synchronizes data between devices and Exchange Online mailboxes.

To disable Exchange ActiveSync for a mailbox, see How to disable Exchange ActiveSync for users in Exchange Online.

To disable other types of access to a mailbox, see:

• Enable or disable MAPI for a mailbox.

• Enable or Disable POP3 or IMAP4 access for a user

Pausing OneDrive sync will help protect your cloud data from being updated by potentially infected devices. For more information, see How to Pause and Resume sync in OneDrive.

Step 3: Remove the malware from the affected devices

Run a full, current antivirus scan on all suspected computers and devices to detect and remove the payload that's associated with the ransomware.

Don't forget to scan devices that are synchronizing data, or the targets of mapped network drives.

You can use Windows Defender or (for older clients) Microsoft Security Essentials.

An alternative that will also help you remove ransomware or malware is the Malicious Software Removal Tool (MSRT).

If these options don't work, you can try Windows Defender Offline or Troubleshoot problems with detecting and removing malware.

Step 4: Recover files on a cleaned computer or device

After you've completed the previous step to remove the ransomware payload from your environment (which will prevent the ransomware from encrypting or removing your files), you can use File History in Windows 11, Windows 10, Windows 8.1, and by using System Protection in Windows 7 to attempt to recover your local files and folders.

Notes:

• Some ransomware will also encrypt or delete the backup versions, so you can't use File History or System Protection to restore files. If that happens, you need use backups on external drives or devices that were not affected by the ransomware or OneDrive as described in the next section.

• If a folder is synchronized to OneDrive and you aren't using the latest version of Windows, there might be some limitations using File History.

Step 5: Recover your files in your OneDrive for Business

Files Restore in OneDrive for Business allows you to restore your entire OneDrive to a previous point in time within the last 30 days. For more information, see Restore your OneDrive.

Step 6: Recover deleted email

In the rare case that the ransomware deleted all your email, you can probably recover the deleted items. For more information, see:

• Recover deleted messages in a user's mailbox

• Recover deleted items in Outlook for Windows

Step 7: Re-enable Exchange ActiveSync and OneDrive sync

After you've cleaned your computers and devices and recovered your data, you can re-enable Exchange ActiveSync and OneDrive sync that you previously disabled in Step 2.

Step 8 (Optional): Block OneDrive sync for specific file extensions

After you've recovered, you can prevent OneDrive for Business clients from synchronizing the file types that were affected by this ransomware. For more information, see Set-SPOTenantSyncClientRestriction

Report the attack

Contact law enforcement

You should contact your local or federal law enforcement agencies. For example, if you are in the United States you can contact the FBI local field office, IC3 or Secret Service.

Submit a report to your country's scam reporting website

Scam reporting websites provide information about how to prevent and avoid scams. They also provide mechanisms to report if you were victim of scam.

• Australia: SCAMwatch

• Canada: Canadian Anti-Fraud Centre

• France: Agence nationale de la sécurité des systèmes d'information

• Germany: Bundesamt für Sicherheit in der Informationstechnik

• Ireland: a Garda Síochána

• New Zealand: Consumer Affairs Scams

• Switzerland Nationales Zentrum für Cybersicherheit NCSC

• United Kingdom: Action Fraud

• United States: On Guard Online

If your country isn't listed, ask your local or federal law enforcement agencies.

Submit email messages to Microsoft

You can report phishing messages that contain ransomware by using one of several methods. For more information, see Report messages and files to Microsoft.

Additional ransomware resources

Key information from Microsoft:

• The growing threat of ransomware, Microsoft On the Issues blog post on July 20, 2021
• Human-operated ransomware
• Rapidly protect against ransomware and extortion
• 2021 Microsoft Digital Defense Report (see pages 10-19)
• Ransomware: A pervasive and ongoing threat threat analytics report in the Microsoft 365 Defender portal

Microsoft 365:

• Deploy ransomware protection for your Microsoft 365 tenant
• Maximize Ransomware Resiliency with Azure and Microsoft 365
• Malware and ransomware protection
• Protect your Windows PC from ransomware
• Handling ransomware in SharePoint Online
• Threat analytics reports for ransomware in the Microsoft 365 Defender portal

Microsoft 365 Defender:

• Find ransomware with advanced hunting

Microsoft Azure:

• Azure Defenses for Ransomware Attack
• Maximize Ransomware Resiliency with Azure and Microsoft 365
• Backup and restore plan to protect against ransomware
• Help protect from ransomware with Microsoft Azure Backup (26 minute video)
• Recovering from systemic identity compromise
• Advanced multistage attack detection in Microsoft Sentinel
• Fusion Detection for Ransomware in Microsoft Sentinel

Microsoft Defender for Cloud Apps:

• Create anomaly detection policies in Defender for Cloud Apps

Microsoft Security team blog posts:

• 3 steps to prevent and recover from ransomware (September 2021)

• A guide to combatting human-operated ransomware: Part 1 (September 2021)

  Key steps on how Microsoft's Detection and Response Team (DART) conducts ransomware incident investigations.

• A guide to combatting human-operated ransomware: Part 2 (September 2021)

  Recommendations and best practices.

• Becoming resilient by understanding cybersecurity risks: Part 4—navigating current threats (May 2021)

  See the Ransomware section.

• Human-operated ransomware attacks: A preventable disaster (March 2020)

  Includes attack chain analyses of actual attacks.

• Ransomware response—to pay or not to pay? (December 2019)

• Norsk Hydro responds to ransomware attack with transparency (December 2019)