Read time 7 minutes
Being a cloud platform, Office 365 is more prone to ransomware attacks, which can directly affect critical information. Even if you take adequate measures to protect the data, you can still end up being a victim of a ransomware attack. Thus, it is crucial to take preventive measures to ensure that your Office 365 data is protected from all types of ransomware attacks.
But what if you become a victim of ransomware? How can you recover its data without losing anything?
In this informative article, we will walk you through the step-by-step process of recovering your data after a ransomware attack. We will also provide the best practices to stop the internal spread of infection.
What is a ransomware attack?
Ransomware uses malware to encrypt systems and data and demands a ransom to decrypt the data. Cybercriminals get a hold on to your data while making it inaccessible for you. In general, attackers ask for payment in cryptocurrency as it cannot be tracked and traced. The ransom demand can be small or huge depending upon the type of data.
It’s not beneficial to pay the ransom, as there is no guarantee that the attackers will decrypt your data after receiving it. Therefore, you should take appropriate security measures to protect your data from ransomware attacks.
How does Microsoft handles ransomware attacks?
When planning security for Microsoft 365 data against ransomware attacks, you have to follow cybersecurity protocols, train your employees against spoofing, phishing, and other cyberattacks, and take regular Microsoft 365 data backup to lower the risks of data loss and business downtime that occurs in such circumstances. Before you learn how to recover file from ransomware attack, let us learn about the data protection components of Microsoft against cyber threats:
- Data loss prevention: Data loss prevention, or DLP in Microsoft 365, helps you prevent the sharing, uploading, forwarding, or accessing sensitive information while eliminating the risks of ransomware attacks.
- Restore file from Recycle Bin: Whenever a file is deleted from SharePoint or OneDrive, it stays in the Deleted Items folder or Recycle Bin until the retention period is over. However, you can also adjust the data retention policies of Microsoft 365 to extend the period for retaining the data before it is permanently deleted.
- Exchange Online Protection: EOP helps in protecting Microsoft 365 mailbox by filtering spam and phishing emails. This feature is enabled in all accounts by default for offering anti-spam, anti-phishing, and anti-malware protection. Exchange Online Protection ensures each email is scanned and marked as spam, extreme spam, phishing, high confidence phishing, bulk, or spoofing.
- Version control: Office 365 applications like SharePoint and OneDrive allow over 500 versions of a file with which one can restore a file to its previous version after a ransomware attack.
How to recover data from ransomware attack?
There are multiple ways to defend your data from ransomware attacks. Below, we have mentioned every tested step that can help you learn how to recover file from ransomware attack.
- Restore data from backup
The best method to recover data from ransomware attack is to restore the files from backups. If the backups are also under the ransomware attack, this step is not helpful. - Disable Exchange ActiveSync and OneDrive Sync
If you suspect that you’re under a ransomware attack, it’s time to take some action. First of all, disable user mailboxes and ensure that the ransomware doesn’t spread. If you’re connected to Exchange, it’s crucial to disable Exchange ActiveSync for mailboxes. Exchange ActiveSync synchronizes data between systems and online mailboxes, which makes the entire data inaccessible under a ransomware attack.Apart from Exchange ActiveSync, you also need to disable OneDrive Sync in Office 365 if you’re uploading data to it on a regular basis. Stopping OneDrive sync will allow you to protect your cloud data from being updated by potentially infected devices.
- Recover files on a cleaned computer
Once you remove the malware from your system, you can recover your local files and folders with file history. However, it is crucial to keep in mind a few things, such as:- Some ransomware also encrypts the backup versions, which doesn’t allow you to use File History or System Protection to restore files. In this case, you need to backup your data from external devices or drives that are not affected by ransomware.
- If the system folders are synchronized to OneDrive, and you don’t use the latest version of Windows, you cannot use File History with full potential. Recovering files on a clean computer will save them from any malware or ransomware attack, and you’ll be able to use it without paying any ransom.
- Restore data from OneDrive for Business
OneDrive for Business saves the version histories of files. To restore data from OneDrive, you need to access OneDrive for Business from a system that is not under a ransomware attack.- Open OneDrive for Business from a different system.
- If you’re signed in with a personal account, click Settings at the top of the page and then click Options.
- From here, click Restore your OneDrive from the left navigation.
- On the Restore page, select the specific timeline from the drop-down list.
- Now, utilize the activity chart or activity feed to view the recent activities that you want to undo.
- Once you choose the particular timeline or the activity that you want to restore, click the Restore button.
Doing so will undo all the actions and activities you have selected. Version history in OneDrive for Business works well for Office 365 documents like Word, Excel, PowerPoint files.
- Remove the malware from affected devices
To remove malware from the system, use an antivirus to scan all the systems and computers to identify and eliminate the ransomware’s payload. Make sure you check the devices that are synchronizing data. To check your devices, you can use Windows Defender or Microsoft Security Essentials with your Microsoft 365 subscription. - Recover deleted emails
If the ransomware deleted all your emails linked to the Office 365 account, you could quickly recover the deleted items from Exchange Management Shell. To recover your deleted messages in a user’s mailbox, follow the below steps:- Go to Exchange Management Shell and navigate to Recipients >> Mailboxes.
- Now, select the mailbox that you want to recover and click on the display name.
- Under More Actions, click Recover Deleted items and provide the values for each or either of the filter criteria from the drop-down lists.
After making the changes, click Apply Filter. This will help you recover recently deleted emails. You can also use Exchange PowerShell to restore the deleted items with the below steps:
- Connect to Exchange Online PowerShell.
- In the PowerShell, run the following command to search for messages.
Get-RecoverableItems -Identity-SubjectContains -FilterItemType -FilterStartTime -FilterEndTime
Running the above command will return all the available recoverable deleted messages with the specified subject in your mailbox for the specified timeline.
- Restore data with compliance and retention policies
Microsoft follows some standard compliance and retention policies for Microsoft Office 365 E3 and higher subscription plans, which mid-level enterprises generally use. The primary advantage of retention policies is that it helps you keep a copy of your files whenever you upload a new document to your account. This way, you can recover your lost data quickly, even if the original file is under a ransomware attack.However, there is a limitation to the retention policy; the data backup depends on the storage quota of the subscription plan. If the given quota is full, you need to purchase extra storage, which becomes a little expensive after a certain period. Also, restoring the data files from the compliance center is very time-consuming; you need to make search queries to find and export the correct files for recovery.
- Re-enable Exchange ActiveSync and OneDrive Sync
After cleaning your computer and devices and recovering the data from a backup or other approaches, you can re-enable Exchange ActiveSync and OneDrive sync, which you disabled initially. Re-enabling Exchange ActiveSync and OneDrive sync is crucial to perform your tasks in Office 365. The data will not be synced regularly if you don’t enable the OneDrive sync.The above methods are pretty handy if you have maintained a backup for your Office 365 account. If there is no backup available in your Office 365, it’ll not be easy to restore your data manually. The only possible way to protect Office 365 mailbox from ransomware attacks and to restore your Office 365 data is to use an automated solution to quickly retain all the deleted files and folders from Office 365 under a ransomware attack.
Steps to follow during a ransomware attack on Microsoft 365 account
In case of a ransomware attack, you need to follow a proactive approach that involves proper planning, strategizing, and execution for a smooth recovery. Here are the steps that you can follow:
- Isolation from the infected environment
The first and foremost step to protect your Microsoft 365 data is to isolate the infected system when suspected of a ransomware attack or phishing. This goes for both wired and wireless systems. It helps in preventing further contamination of ransomware and limiting additional damage to the system. - Determine the source of attack
Understanding the source of the ransomware or the type of ransomware you’ve to deal with helps in identifying the right solution. Do a thorough analysis of logs and security reports developed by Microsoft 365 and find out how did the situation happened. - Restore data using pre-existing backups
If you have pre-existing backup of the data offline or within Microsoft 365, use it to restore the environment back. Using backup is an efficient way of restoring the system back and avoiding any business downtime. - Talk to experts
Get in touch with the cybersecurity experts who can help you analyze the situation even better, remove the ransomware, restore Microsoft 365 environment, and avoid any such accidents in future. - Implement and enhance security updates
Get the necessary security updates to avoid vulnerabilities that might exploit your system again. This helps in strengthening your defense games from future attacks. You can implement multi-factor authentication to fortify the security, reevaluate permissions and authorities, and enhance security policies. - Document the incident
Before you remove ransomware from your system, make sure that you have everything mentioned clearly in a document. Mention all actions you took during the ransomware recovery process. this will help you understand what you need to avoid in future, what can be improved, and what helped you recover from the situation.
Automated solution to protect data
Kernel Office 365 Backup & Restore is an advanced utility specially designed to backup & restore Office 365 data. It can even backup multiple mailboxes at once without any interruptions. Microsoft 365 backup tool is integrated with advanced features and capabilities and supports all versions of Exchange, Outlook, and Office 365.
Some of the critical features of the tool include:
- Allows multiple mailbox backup from Exchange Online to Outlook PST.
- Capable of Archive & Shared mailbox backups for enhanced recovery.
- Import PST files to archive mailboxes, shared mailboxes, and user groups.
- Restore data from on-premises/hosted Exchange mailboxes.
- Supports incremental backup if you already have a backup file.
- Provides advanced filtration options to backup specific data and files.
- Supports email backup in multiple formats, including PST, MSG, MHT, HTML, PDF, DOC, DOCX, etc.
- Save source mailbox hierarchy to a separate folder specified by the user.
If you’ve been struggling to backup & restore Office 365 after a ransomware attack, our tool helps you overcome all your obstacles.
Wrap up
A ransomware attack can drastically damage your data while making it inaccessible for you in every way possible. Recovering this data is crucial for your organization. In such scenarios, you need to follow a strategic approach to restore your data. Using the methods and best practices mentioned in the article, you can recover data from ransomware attack. Moreover, there’s a mention of Kernel Office 365 backup & restore tool to help protect data so that you can recover from such situations effectively.