Recover from a ransomware attack in Microsoft 365
- Exchange Online Protection
- Microsoft Defender for Office 365 plan 1 and plan 2
- Microsoft 365 Defender
Even if you take every precaution to protect your organization, you can still fall victim to a ransomware attack. Ransomware is big business, and in today's threat landscape Microsoft 365 is an ever-increasing target for sophisticated attacks.
The steps in this article will give you the best chance to recover data and stop the internal spread of infection. Before you get started, consider the following items:
There's no guarantee that paying the ransom will return access to your files. In fact, paying the ransom can make you a target for more ransomware.
If you already paid, but you recovered without using the attacker's solution, contact your bank to see if they can block the transaction.
We also recommend that you report the ransomware attack to law enforcement, scam reporting websites, and Microsoft as described later in this article.
It's important for you respond quickly to the attack and its consequences. The longer you wait, the less likely it is that you can recover the affected data.
Step 1: Verify your backups
If you have offline backups, you can probably restore the encrypted data after you've removed the ransomware payload (malware) from your environment and after you've verified that there's no unauthorized access in your Microsoft 365 environments.
If you don't have backups, or if your backups were also affected by the ransomware, you can skip this step.
Step 2: Disable Exchange ActiveSync and OneDrive sync
The key point here is to stop the spread of data encryption by the ransomware.
If you suspect email as a target of the ransomware encryption, temporarily disable user access to mailboxes. Exchange ActiveSync synchronizes data between devices and Exchange Online mailboxes.
To disable Exchange ActiveSync for a mailbox, see How to disable Exchange ActiveSync for users in Exchange Online.
To disable other types of access to a mailbox, see:
Pausing OneDrive sync will help protect your cloud data from being updated by potentially infected devices. For more information, see How to Pause and Resume sync in OneDrive.
Step 3: Remove the malware from the affected devices
Run a full, current antivirus scan on all suspected computers and devices to detect and remove the payload that's associated with the ransomware.
Don't forget to scan devices that are synchronizing data, or the targets of mapped network drives.
An alternative that will also help you remove ransomware or malware is the Malicious Software Removal Tool (MSRT).
If these options don't work, you can try Windows Defender Offline or Troubleshoot problems with detecting and removing malware.
Step 4: Recover files on a cleaned computer or device
After you've completed the previous step to remove the ransomware payload from your environment (which will prevent the ransomware from encrypting or removing your files), you can use File History in Windows 11, Windows 10, Windows 8.1, and by using System Protection in Windows 7 to attempt to recover your local files and folders.
Some ransomware will also encrypt or delete the backup versions, so you can't use File History or System Protection to restore files. If that happens, you need use backups on external drives or devices that were not affected by the ransomware or OneDrive as described in the next section.
If a folder is synchronized to OneDrive and you aren't using the latest version of Windows, there might be some limitations using File History.
Step 5: Recover your files in your OneDrive for Business
Files Restore in OneDrive for Business allows you to restore your entire OneDrive to a previous point in time within the last 30 days. For more information, see Restore your OneDrive.
Step 6: Recover deleted email
In the rare case that the ransomware deleted all your email, you can probably recover the deleted items. For more information, see:
Step 7: Re-enable Exchange ActiveSync and OneDrive sync
After you've cleaned your computers and devices and recovered your data, you can re-enable Exchange ActiveSync and OneDrive sync that you previously disabled in Step 2.
Step 8 (Optional): Block OneDrive sync for specific file extensions
After you've recovered, you can prevent OneDrive for Business clients from synchronizing the file types that were affected by this ransomware. For more information, see Set-SPOTenantSyncClientRestriction
Report the attack
Contact law enforcement
Submit a report to your country's scam reporting website
Scam reporting websites provide information about how to prevent and avoid scams. They also provide mechanisms to report if you were victim of scam.
Canada: Canadian Anti-Fraud Centre
Ireland: a Garda Síochána
New Zealand: Consumer Affairs Scams
Switzerland Nationales Zentrum für Cybersicherheit NCSC
United Kingdom: Action Fraud
United States: On Guard Online
If your country isn't listed, ask your local or federal law enforcement agencies.
Submit email messages to Microsoft
You can report phishing messages that contain ransomware by using one of several methods. For more information, see Report messages and files to Microsoft.
Additional ransomware resources
Key information from Microsoft:
- The growing threat of ransomware, Microsoft On the Issues blog post on July 20, 2021
- Human-operated ransomware
- Rapidly protect against ransomware and extortion
- 2021 Microsoft Digital Defense Report (see pages 10-19)
- Ransomware: A pervasive and ongoing threat threat analytics report in the Microsoft 365 Defender portal
- Deploy ransomware protection for your Microsoft 365 tenant
- Maximize Ransomware Resiliency with Azure and Microsoft 365
- Malware and ransomware protection
- Protect your Windows PC from ransomware
- Handling ransomware in SharePoint Online
- Threat analytics reports for ransomware in the Microsoft 365 Defender portal
Microsoft 365 Defender:
- Azure Defenses for Ransomware Attack
- Maximize Ransomware Resiliency with Azure and Microsoft 365
- Backup and restore plan to protect against ransomware
- Help protect from ransomware with Microsoft Azure Backup (26 minute video)
- Recovering from systemic identity compromise
- Advanced multistage attack detection in Microsoft Sentinel
- Fusion Detection for Ransomware in Microsoft Sentinel
Microsoft Defender for Cloud Apps:
Microsoft Security team blog posts:
Key steps on how Microsoft's Detection and Response Team (DART) conducts ransomware incident investigations.
Recommendations and best practices.
See the Ransomware section.
Includes attack chain analyses of actual attacks.