Recover from a ransomware attack in Microsoft 365
The improved Microsoft 365 Defender portal is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new.
- Exchange Online Protection
- Microsoft Defender for Office 365 plan 1 and plan 2
- Microsoft 365 Defender
Even if you take every precaution to protect your organization, you can still fall victim to a ransomware attack. Ransomware is big business, and the attacks are very sophisticated.
The steps in this article will give you the best chance to recover data and stop the internal spread of infection. Before you get started, consider the following items:
There's no guarantee that paying the ransom will return access to your files. In fact, paying the ransom can make you a target for more ransomware.
If you already paid, but you recovered without using the attacker's solution, contact your bank to see if they can block the transaction.
We also recommend that you report the ransomware attack to law enforcement, scam reporting websites, and Microsoft as described later in this article.
It's important for you respond quickly to the attack and its consequences. The longer you wait, the less likely it is that you can recover the affected data.
Step 1: Verify your backups
If you have offline backups, you can probably restore the encrypted data after you've removed the ransomware payload (malware) from your environment.
If you don't have backups, or if your backups were also affected by the ransomware, you can skip this step.
Step 2: Disable Exchange ActiveSync and OneDrive sync
The key point here is to stop the spread of data encryption by the ransomware.
If you suspect email as a target of the ransomware encryption, temporarily disable user access to mailboxes. Exchange ActiveSync synchronizes data between devices and Exchange Online mailboxes.
To disable Exchange ActiveSync for a mailbox, see How to disable Exchange ActiveSync for users in Exchange Online.
To disable other types of access to a mailbox, see:
Pausing OneDrive sync will help protect your cloud data from being updated by potentially infected devices. For more information, see How to Pause and Resume sync in OneDrive.
Step 3: Remove the malware from the affected devices
Run a full, current antivirus scan on all suspected computers and devices to detect and remove the payload that's associated with the ransomware.
Don't forget to scan devices that are synchronizing data, or the targets of mapped network drives.
An alternative that will also help you remove ransomware or malware is the Malicious Software Removal Tool (MSRT).
If these options don't work, you can try Windows Defender Offline or Troubleshoot problems with detecting and removing malware.
Step 4: Recover files on a cleaned computer or device
After you've completed the previous step to remove the ransomware payload from your environment (which will prevent the ransomware from encrypting or removing your files), you can use File History in Windows 10 and Windows 8.1 or System Protection in Windows 7 to attempt to recover your local files and folders.
Some ransomware will also encrypt or delete the backup versions, so you can't use File History or System Protection to restore files. If that happens, you need use backups on external drives or devices that were not affected by the ransomware or OneDrive as described in the next section.
If a folder is synchronized to OneDrive and you aren't using the latest version of Windows, there might be some limitations using File History.
Step 5: Recover your files in your OneDrive for Business
Files Restore in OneDrive for Business allows you to restore your entire OneDrive to a previous point in time within the last 30 days. For more information, see Restore your OneDrive.
Step 6: Recover deleted email
In the rare case that the ransomware deleted all your email, you can probably recover the deleted items. For more information, see:
Step 7: Re-enable Exchange ActiveSync and OneDrive sync
After you've cleaned your computers and devices and recovered your data, you can re-enable Exchange ActiveSync and OneDrive sync that you previously disabled in Step 2.
Step 8 (Optional): Block OneDrive sync for specific file extensions
After you've recovered, you can prevent OneDrive for Business clients from synchronizing the file types that were affected by this ransomware. For more information, see Set-SPOTenantSyncClientRestriction
Report the attack
Contact law enforcement
Submit a report to your country's scam reporting website
Scam reporting websites provide information about how to prevent and avoid scams. They also provide mechanisms to report if you were victim of scam.
Canada: Canadian Anti-Fraud Centre
Ireland: An Garda Síochána
New Zealand: Consumer Affairs Scams
Switzerland Nationales Zentrum für Cybersicherheit NCSC
United Kingdom: Action Fraud
United States: On Guard Online
If your country isn't listed, ask your local or federal law enforcement agencies.
Submit email messages to Microsoft
You can report phishing messages that contain ransomware by using one of several methods. For more information, see Report messages and files to Microsoft.
Additional ransomware resources
Key information from Microsoft:
- The growing threat of ransomware, Microsoft On the Issues blog post on July 20, 2021
- Human-operated ransomware
- Rapidly protect against ransomware and extortion
- The latest Microsoft Security Intelligence Report (see pages 22-24)
- Ransomware: A pervasive and ongoing threat report in the Threat analytics node of the Microsoft 365 Defender portal (see these licensing requirements)
- Deploy ransomware protection for your Microsoft 365 tenant
- Malware and ransomware protection
- Protect your Windows 10 PC from ransomware
- Handling ransomware in SharePoint Online
Microsoft 365 Defender:
- Azure Defenses for Ransomware Attack
- Backup and restore plan to protect against ransomware
- Help protect from ransomware with Microsoft Azure Backup (26 minute video)
- Recovering from systemic identity compromise
- Advanced multistage attack detection in Azure Sentinel
- Fusion Detection for Ransomware in Azure Sentinel
Microsoft Cloud App Security:
Microsoft Security team blog posts:
See the Ransomware section.
Includes attack chain analyses of actual attacks.