SharePoint Online Ransomware Recovery

There have been several high profile ransomware incidents in New Zealand recently. The impact can be very high and the recovery process can be a difficult road in some cases. There are many things that can be done to mitigate the risk of ransomware but it is hard to be 100% safe. As well as the disruption to your business, there can also be privacy and reputational issues. This stuff can be nasty!

SharePoint Online and OneDrive for Business are not immune to ransomware. The same is true for Microsoft Teams and Office 365 Groups, both of whom use SharePoint for document storage. A document library could be encrypted if the PC it is sync’d to is infected or a ransomware attack targeting SharePoint could wreak havoc across your sites and libraries. Microsoft provides some guidance on recovering from ransonware.

You may notice an issue when files don’t show the right icons in a library. In addition to ransomware you should also consider mass risks. OneDrive can help alert you if there is a bulk content delete. You can also use retention policies to help protect your content. Retention policies prevent deletion at document level which can be an advantage over backups that occur at points in time.

Microsoft provides some useful tools for recovery. In addition to the first and second level recyclebins, you can also roll back file versions. The Restore Library option accessed from the settings cog for a library, allows a Site Owner to restore an entire library. Note this option is not available in older classic sites.

Restore Library options

Microsoft support can also help recovery files. Logging a support request from the Tenant Admin portal with the site URL you want to recover and the restore date. Note these backups are kept for 14 days only.

If your organisation has a third-party backup solution for Office 365, then you may be able to restore from further back in time. Many of these backup solutions allow you to store backups in a different cloud location, AWS or other cloud providers.

The best option is to protect your system to avoid having to recovery. Make sure you are following good practice:

  • Keep your PC’s and servers patched.
  • Only use operating systems that are in support.
  • Use modern antivirus software and ensure it is up to date.
  • Use email scanning software.
  • Use modern firewall hardware.
  • Segment your network.
  • Have a good backup solution with immutable backups (tamper proof).
  • Use a least privilage approach to permission management.
  • Use MFA
  • Educate everyone on the dangers and preventative measures.

Remember: If you are using SharePoint and have one large library sync’d to multiple PC’s then you have multiple potential points of access for ransomware. If you are a victim, remove the infected machines from the environment before starting a restore. You don’t want to get reinfected!

One last piece of advice. Have a recovery plan. Run through the potential recovery scenarios that might exist for your environment. What does recovery look like? What would we do if it happened to us?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s