Recover from a ransomware attack in Microsoft 365

Important

The improved Microsoft 365 Defender portal is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Learn what's new.

Applies to

Even if you take every precaution to protect your organization, you can still fall victim to a ransomware attack. Ransomware is big business, and the attacks are very sophisticated.

The steps in this article will give you the best chance to recover data and stop the internal spread of infection. Before you get started, consider the following items:

  • There's no guarantee that paying the ransom will return access to your files. In fact, paying the ransom can make you a target for more ransomware.

    If you already paid, but you recovered without using the attacker's solution, contact your bank to see if they can block the transaction.

    We also recommend that you report the ransomware attack to law enforcement, scam reporting websites, and Microsoft as described later in this article.

  • It's important for you respond quickly to the attack and its consequences. The longer you wait, the less likely it is that you can recover the affected data.

Step 1: Verify your backups

If you have offline backups, you can probably restore the encrypted data after you've removed the ransomware payload (malware) from your environment.

If you don't have backups, or if your backups were also affected by the ransomware, you can skip this step.

Step 2: Disable Exchange ActiveSync and OneDrive sync

The key point here is to stop the spread of data encryption by the ransomware.

If you suspect email as a target of the ransomware encryption, temporarily disable user access to mailboxes. Exchange ActiveSync synchronizes data between devices and Exchange Online mailboxes.

To disable Exchange ActiveSync for a mailbox, see How to disable Exchange ActiveSync for users in Exchange Online.

To disable other types of access to a mailbox, see:

Pausing OneDrive sync will help protect your cloud data from being updated by potentially infected devices. For more information, see How to Pause and Resume sync in OneDrive.

Step 3: Remove the malware from the affected devices

Run a full, current antivirus scan on all suspected computers and devices to detect and remove the payload that's associated with the ransomware.

Don't forget to scan devices that are synchronizing data, or the targets of mapped network drives.

You can use Windows Defender or (for older clients) Microsoft Security Essentials.

An alternative that will also help you remove ransomware or malware is the Malicious Software Removal Tool (MSRT).

If these options don't work, you can try Windows Defender Offline or Troubleshoot problems with detecting and removing malware.

Step 4: Recover files on a cleaned computer or device

After you've completed the previous step to remove the ransomware payload from your environment (which will prevent the ransomware from encrypting or removing your files), you can use File History in Windows 10 and Windows 8.1 or System Protection in Windows 7 to attempt to recover your local files and folders.

Notes:

  • Some ransomware will also encrypt or delete the backup versions, so you can't use File History or System Protection to restore files. If that happens, you need use backups on external drives or devices that were not affected by the ransomware or OneDrive as described in the next section.

  • If a folder is synchronized to OneDrive and you aren't using the latest version of Windows, there might be some limitations using File History.

Step 5: Recover your files in your OneDrive for Business

Files Restore in OneDrive for Business allows you to restore your entire OneDrive to a previous point in time within the last 30 days. For more information, see Restore your OneDrive.

Step 6: Recover deleted email

In the rare case that the ransomware deleted all your email, you can probably recover the deleted items. For more information, see:

Step 7: Re-enable Exchange ActiveSync and OneDrive sync

After you've cleaned your computers and devices and recovered your data, you can re-enable Exchange ActiveSync and OneDrive sync that you previously disabled in Step 2.

Step 8 (Optional): Block OneDrive sync for specific file extensions

After you've recovered, you can prevent OneDrive for Business clients from synchronizing the file types that were affected by this ransomware. For more information, see Set-SPOTenantSyncClientRestriction

Report the attack

Contact law enforcement

You should contact your local or federal law enforcement agencies. For example, if you are in the United States you can contact the FBI local field office, IC3 or Secret Service.

Submit a report to your country's scam reporting website

Scam reporting websites provide information about how to prevent and avoid scams. They also provide mechanisms to report if you were victim of scam.

If your country isn't listed, ask your local or federal law enforcement agencies.

Submit email messages to Microsoft

You can report phishing messages that contain ransomware by using one of several methods. For more information, see Report messages and files to Microsoft.

Additional ransomware resources

Key information from Microsoft:

Microsoft 365:

Microsoft 365 Defender:

Microsoft Azure:

Microsoft Cloud App Security:

Microsoft Security team blog posts: