Using OneDrive Restore to Recover From a Ransomware Attack

In the past, we’ve been able to restore OneDrive files on an individual basis by using the version history feature of OneDrive for Business. File version history was initially only available for Office file types, but was later improved to include all file types that OneDrive supports. Even still, restoring individual files one at a time is not a practical solution when an entire OneDrive library has been deleted, or overwritten by a ransomware attack.

Recently Microsoft announced that a new OneDrive restore feature is rolling out to customers. The new feature has appeared in my Office 365 tenant in the last week, so I took it for a test drive to see how easy it would be to restore a OneDrive library that has been overwritten by ransomware.

To simulate the ransomware attack, I used this PowerShell module to encrypt the files. If you’re interested to run a simulation of your own, here’s the short script I wrote (note the dependency on the FileCryptography module, which I downloaded and placed in the folder where I was running my script).

Import-Module .\FileCryptography.psm1

$key = ConvertTo-SecureString "rQtOOrNoXgmWRxLFtE15tIqWNqu8n21x7PT8zK/HSaI=" -AsPlainText -Force

$onedrive = "C:\Users\dave.bedrat\OneDrive - Globomantics"

$files = Get-ChildItem -File -Recurse -Path $onedrive

foreach ($file in $files) {
    
    Protect-File $file.fullname -Algorithm AES -Key $key -RemoveSource
    
}

I don’t recommend running the script on a production machine or against production data. It should only be used with test accounts and non-production data.

The result is a OneDrive library where every file has a .AES extension and the file contents have been encrypted. As a side note, this seems to be an important factor when using the OneDrive restore feature. Initially I ran some tests by simply renaming files. But because the file contents hadn’t changed, it apparently did not trigger the file version history, which is what the restore function relies on to roll back the data.

The OneDrive restore is initiated from the settings menu in the top right of the OneDrive web interface. If the feature has rolled out to your tenant you will see an option to restore your OneDrive.

You can choose from three preset dates to restore to.

If you need more control and visibility over exactly what changed and what will be restored, you can choose a custom date and time. This presents a timeline that shows you what changes occurred on which date. You can choose to roll back all the changes, or just select files to restore.

Possibly due to the number of times I repeated my test, eventually the custom date/time picker UI went a little nutty and I was not able to restore all changes using that option. However, the preset restore point “Yesterday” worked just fine.

Early in my tests I was seeing an error message:

Couldn’t finish restoring. Something went wrong. Please try again. Return to my OneDrive.”

Because that error only occurred on tests where I was simply renaming files, I assume the issue is that the OneDrive restore process was not able to find a file version history to use for the roll back.

A restore log is left in the root of the OneDrive library with the results of the restore attempt. In the example below, there were eight failures logged due to folders already existing with the same name. The files within each folder that had been encrypted were still recovered though, so the failures that were logged for folder name collisions were not actually a problem.

Ultimately the OneDrive restore feature seems to work just fine. The UI is a little buggy, but I imagine it will be changed and improved over time as more customers use it and give feedback. The roll out of this feature to Office 365 customers improves the capability of OneDrive to recovery from ransomware attacks, which should also encourage more OneDrive adoption in future.

Photo by Brooke Campbell on Unsplash