Handling Ransomware in Sharepoint Online

What is Ransomware or a Crypto Virus?

Ransomware is a malware that blocks access to various items demanding a ransom in order for the creator to release the lock they have imposed.  Once the ransom is paid, the creator of the ransomware will presumably provide whatever is needed to regain access.

For more information on Ransomware please visit https://www.microsoft.com/security/portal/mmpc/shared/ransomware.aspx

How does it work with SharePoint Online or OneDrive for Business?

The ransomware is an executable of some sort that is ran locally on a user's computer.  The ransomware that we have seen effect SharePoint Online or OneDrive for Business has been manipulating individual files on a user's local machine via a One Drive for Business connection or a mapped drive into a SharePoint Online library. Once this occurs the infected files are then synchronized to the online environment by the sync client tool or as mentioned via various Web DAV methods. We have seen various manipulations of the files including Public/Private key encryption, appending an unknown extension to the filename, and deleting existing files. In addition, a lot of new files are typically added to each directory with instructions on who to pay the ransom.

How do I confirm the items of a library are being held for ransom?

Here are some of the signs that a SharePoint Online library has been hit by ransomware:

  • Majority of the files within the library have the same Modified By timestamp.
  • Files fail to open stating that they are possibly corrupt.
  • Each directory within the library contains several files named HELP_DECRYPT, HELP_Recover or some random names.  The files can be opened and contain instructions for paying the ransom.
  • Files have been renamed or have an extension appended to the end.

How are we able to help!?  

Unfortunately, we typically wouldn’t be able to unblock the items directly from getting uploaded to Sharepoint Online as we have no knowledge of the encryption keys or mechanism used to impose the lock and we allow encrypted files on Sharepoint Online. This being said, don’t PANIC! Immediately stop OneDrive for Business Sync or disconnect the mapped drive to SharePoint library and have your Company Administrator/end user attempt an OneDrive Files Restore (noted below).

Note : Do not perform any actions like renaming or deleting the files.

Update!   -  Please note that ODB Files restore has been released and version/change rollbacks can be done by the end user! - https://techcommunity.microsoft.com/t5/OneDrive-Blog/Announcing-New-OneDrive-for-Business-feature-Files-Restore/ba-p/147436

If for any reason the ODB Files restore does not fix the issue please have the administrator include the following details when submitting the help ticket.

  1. What is the site collection URL(s) that have been affected by Ransomware?
  2. When was the last known time that these files were in a healthy state?

Comments

  • Anonymous
    September 28, 2016
    The comment has been removed
    • Anonymous
      September 28, 2016
      Thanks for the suggestion Susan! A great way to quickly block the client.Please consider the fact that the NextGentSyncClient will be "OneDrive.exe" so you will want a rule for that as well.
  • Anonymous
    February 23, 2017
    If you have versioning activated on your SharePoint library, you might be able to revert back to an earlier version.I guess no malware has been able to encrypt all versions yet?
    • Anonymous
      February 24, 2017
      That's correct. Remember that most of these Viruses are not specifically targeting Sharepoint Online or OneDrive sites so we are able to rollback versioning or many other events that occurred.
  • Anonymous
    March 23, 2018
    The comment has been removed
    • Anonymous
      March 23, 2018
      Hey Mike,I apologize that you have been having this experience and want to get this handled for you.Do you have a case number you could provide me or a way I can contact you?Please private message me any details Regards,Sam
      • Anonymous
        March 23, 2018
        Sam, forgive my ignorance, but i'm not sure how to direct message you through the blog, and i didn't see your contact info posted. You can email me at mike a-t mikecrowley.us
        • Anonymous
          March 23, 2018
          Sorry for the confusion Mike.I'll be reaching out to you shortly.
          • Anonymous
            December 03, 2018
            Hi Sam, I know I am a bit late to this party, but is there anyway you can give me assistance on a recovery of my own org's site?
            • Anonymous
              December 03, 2018
              No problem! If you haven't already can you open a support ticket from the admin portal? Once this is opened please provide the number and we will work with you to get this issue resolved.
      • Anonymous
        December 18, 2018
        We are having the same issue. Our whole organization is out of commission because we cannot open files and still waiting for MS to restore files. Here is our ticket #12486162. Help!
        • Anonymous
          December 20, 2018
          I'll contact you ASAP and we will get this resolved!
  • Anonymous
    March 23, 2018
    Sam, thanks for reaching out so quickly and assisting with the site restore. The site is good to go! Looking forward to self-service enhancements in the future.