SharePoint Online Ransomware Recovery

There have been several high profile ransomware incidents in New Zealand recently. The impact can be very high and the recovery process can be a difficult road in some cases. There are many things that can be done to mitigate the risk of ransomware but it is hard to be 100% safe. As well as the disruption to your business, there can also be privacy and reputational issues. This stuff can be nasty!

SharePoint Online and OneDrive for Business are not immune to ransomware. The same is true for Microsoft Teams and Office 365 Groups, both of whom use SharePoint for document storage. A document library could be encrypted if the PC it is sync’d to is infected or a ransomware attack targeting SharePoint could wreak havoc across your sites and libraries. Microsoft provides some guidance on recovering from ransonware.

You may notice an issue when files don’t show the right icons in a library. This will probably be followed by the sinking feeling that something ain’t right. You can’t open the documents and their will most likely be a text file demanding bitcoins!

In addition to ransomware you should also consider mass risks. OneDrive can help alert you if there is a bulk content delete. You can also use retention policies to help protect your content. Retention policies prevent deletion at document level which can be an advantage over backups that occur at points in time. Mass recovery from the retention preseveration hold library however can be tricky and isn’t very efficent.

Microsoft provides some useful tools for recovery. In addition to the first and second level recyclebins, you can also roll back file versions. The Restore Library option accessed from the settings cog for a library, allows a Site Owner to restore an entire library. Note this option is not available in older classic sites.

Restore Library options

Microsoft support can also help recovery files. Logging a support request from the Tenant Admin portal with the site URL you want to recover and the restore date. Note these backups are kept for 14 days only.

If your organisation has a third-party backup solution for Office 365, then you may be able to restore from further back in time. Many of these backup solutions allow you to store backups in a different cloud location, AWS or other cloud providers. These solutions give extra protection and can reduce the skill required to recover. There is a good discussion on whether or not you need an Office 365 backup over on Practical365.

The best option is to protect your system to avoid having to recovery. Make sure you are following good practice:

  • Keep your PC’s and servers patched.
  • Only use operating systems that are in support.
  • Use modern antivirus software and ensure it is up to date.
  • Use email scanning software.
  • Use modern firewall hardware.
  • Segment your network.
  • Have a good backup solution with immutable backups (tamper proof).
  • Use a least privilage approach to permission management.
  • Use Multi-factor Authentication (MFA).
  • Educate everyone on the dangers and preventative measures.

Remember: If you are using SharePoint and have one large library sync’d to multiple PC’s then you have multiple potential points of access for ransomware. If you are a victim, remove the infected machines from the environment before starting a restore. You don’t want to get reinfected! Check the item version history to see who uploaded in the infected version.

You can learn more about Ransomware and report incidents in New Zealand via the CERT website.

One last piece of advice. Have a recovery plan. Run through the potential recovery scenarios that might exist for your environment. What does recovery look like? What would we do if it happened to us? How will you recover content outside of SharePoint?

One thought on “SharePoint Online Ransomware Recovery

  1. Great Post, Always great idea to get backup, as mentioned, you can only go back 14 days per site collection and OneDrive library rollback up to 31… if something happens and it is not caught in time, you are out of luck…

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s