Handling ransomware in Sharepoint Online
Summary
Ransomware is a malware that blocks access to various items on your computer and demands a ransom from you in order for the creator to release the lock they imposed. Once the ransom is paid, the creator of the ransomware presumably provides the information needed to regain access.
More information
How does it work with SharePoint Online or OneDrive?
Ransomware is an executable that is run locally on a user's computer. The ransomware reviewed by Microsoft that affects SharePoint Online or OneDrive manipulates individual files on the user's local machine by way of a OneDrive connection or a mapped drive into a SharePoint library.
Once the ransomware is placed, the infected files are then synchronized to the online environment by the sync client tool or by various WebDAV methods. Various manipulations of the files include but aren't limited to:
- Public or private key encryption.
- Appending an unknown extension to the filename.
- Deleting existing files.
In addition, many new files are added to each directory that create display instructions regarding who to pay the ransom.
How do I confirm the items of a library are actually being held for ransom?
Signs that a SharePoint library has been infected by ransomware include:
- Majority of the files within the library have the same Modified By timestamp.
- Files fail to open with a message stating that they're possibly corrupt.
- Each directory within the library contains several files named HELP_DECRYPT, **HELP_Recover, or similar random names. The files can be opened and contain instructions for paying the ransom.
- Files are renamed or have an extension appended to the end.
How is Microsoft able to help?
If you're affected, try the following methods:
Immediately stop OneDrive sync or disconnect the mapped drive to SharePoint library.
Ask your Company Administrator (or affected user) to attempt to restore files:
- SharePoint: See Restore a Document library
- OneDrive: See Restore a OneDrive library
Note
SharePoint Online retains backups of all content for 14 additional days beyond actual deletion. If content cannot be restored, an administrator can contact Microsoft Support to request a restore any time inside the 14-day window. Be sure to note the following details:
- What site collection URL(s) that have been affected by ransomware?
- When was the last known time the files were not modified by the ransomware?
Need more help?
For more information on ransomware, see the support article on Ransom ware.
Still need help? Go to SharePoint Community.