Posey's Tips & Tricks
How To Restore OneDrive Data After a Ransomware Attack
Thanks to a new feature in Microsoft's commercial cloud storage service, businesses don't have to choose between paying a hefty ransom or kissing their files goodbye.
Although numerous sources indicate that incidents of ransomware have sharply declined since the beginning of the year, ransomware still exists and remains a credible threat against both personal and business data.
Recently, Microsoft has begun positioning OneDrive for Business as a tool for recovering from a ransomware infection. Let's take a look at how this works.
Even before Microsoft made a concerted effort to use OneDrive for Business as a ransomware-recovery mechanism, OneDrive for Business offered a degree of protection thanks to its versioning capabilities.
To see how versioning works, log in to the OneDrive for Business Web portal, and click on one of your files. If multiple versions of the file exist, you will see a Version History icon displayed at the top of the screen. The pane on the right side of the screen will also contain a message (in the Recent Activity section) indicating that you can find earlier changes in Version History. You can see what this looks like in Figure 1.
[Click on image for larger view.] Figure 1: OneDrive for Business maintains version history for files.
Clicking on the Version History icon displays all existing versions of the file, as shown in Figure 2. Therefore, if a file becomes encrypted by ransomware, it should theoretically be possible to undo the damage by reverting to an earlier version of the file.
[Click on image for larger view.] Figure 2: This is what Version History looks like.
The problem with using Version History as a tool for recovering from a ransomware attack is that reverting to previous file versions is a tedious, manual process. Rolling back a few files to an earlier version is no big deal, but imagine what would happen if a ransomware infection encrypted 50,000 individual files. I'm guessing that manually rolling back 50,000 files one at a time is probably going to be far too time-consuming to be practical.
So what about Microsoft's new ransomware prevention strategy? As you have probably guessed, Microsoft has done some work to make the recovery process far more practical.
The first thing that you need to know about using OneDrive for ransomware mitigation is that Microsoft has recently made this capability available to lower-end Office 365 subscriptions, including Office 365 Home and Office 365 Personal.
The second thing that you need to know is that in order to get the most out of this protection, you need to be running Windows Defender.
Windows Defender is the Windows operating system's malware prevention tool. If Windows Defender detects a ransomware infection, it will alert you to the problem, then give you the option of using OneDrive's file restore feature to undo the damage.
The cool thing about this is that Windows Defender tells OneDrive when the infection was detected so that OneDrive knows to restore data from an appropriate point in time.
According to Microsoft, this capability will be available to those who have an Office 365 Home or Office 365 Personal subscription, and will also be available to anyone who uses OneDrive for Business (which includes Office 365 Enterprise subscribers and other business-oriented Office 365 subscriptions). Windows Defender integration requires the April 2018 update for Windows 10 to be installed.
At the time of this writing, Microsoft has not yet rolled out restoration capabilities to my OneDrive for Business account. Presently, I am able to open the OneDrive for Business Web interface within Office 365, click on Settings, and see an option to restore my OneDrive, as shown in Figure 3. Currently, however, clicking on this option does not do anything.
[Click on image for larger view.] Figure 3: For right now, the option to restore OneDrive is found on the OneDrive for Business Settings menu.
In spite of my OneDrive for Business account not yet being fully provisioned, Microsoft has provided a couple of screen captures that show us what to expect. This Microsoft blog post includes a screen capture of OneDrive detecting a ransomware infection and providing instructions to click the message to restore files from OneDrive.
A second screen capture in the blog post shows that a restore point has been automatically selected within OneDrive, and that data can be reverted to its unencrypted state by clicking the Restore button.
I think the thing that I find most exciting about this new capability is that it offers a way for casual users to get their data back without paying a ransom. I have plenty of friends and family who have suffered data loss due to a ransomware attack. OneDrive may be able to keep that from happening in the future.
About the Author
Brien Posey is a 22-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.