Using OneDrive Restore to Recover From a Ransomware Attack

In the past, we’ve been able to restore OneDrive files on an individual basis by using the version history feature of OneDrive for Business. File version history was initially only available for Office file types, but was later improved to include all file types that OneDrive supports. Even still, restoring individual files one at a time is not a practical solution when an entire OneDrive library has been deleted, or overwritten by a ransomware attack.

Recently Microsoft announced that a new OneDrive restore feature is rolling out to customers. The new feature has appeared in my Office 365 tenant in the last week, so I took it for a test drive to see how easy it would be to restore a OneDrive library that has been overwritten by ransomware.

To simulate the ransomware attack, I used this PowerShell module to encrypt the files. If you’re interested to run a simulation of your own, here’s the short script I wrote (note the dependency on the FileCryptography module, which I downloaded and placed in the folder where I was running my script).

Import-Module .\FileCryptography.psm1

$key = ConvertTo-SecureString "rQtOOrNoXgmWRxLFtE15tIqWNqu8n21x7PT8zK/HSaI=" -AsPlainText -Force

$onedrive = "C:\Users\dave.bedrat\OneDrive - Globomantics"

$files = Get-ChildItem -File -Recurse -Path $onedrive

foreach ($file in $files) {
    
    Protect-File $file.fullname -Algorithm AES -Key $key -RemoveSource
    
}

I don’t recommend running the script on a production machine or against production data. It should only be used with test accounts and non-production data.

The result is a OneDrive library where every file has a .AES extension and the file contents have been encrypted. As a side note, this seems to be an important factor when using the OneDrive restore feature. Initially I ran some tests by simply renaming files. But because the file contents hadn’t changed, it apparently did not trigger the file version history, which is what the restore function relies on to roll back the data.

Using OneDrive Restore to Recover From a Ransomware Attack

The OneDrive restore is initiated from the settings menu in the top right of the OneDrive web interface. If the feature has rolled out to your tenant you will see an option to restore your OneDrive.

Using OneDrive Restore to Recover From a Ransomware Attack

You can choose from three preset dates to restore to.

Using OneDrive Restore to Recover From a Ransomware Attack

If you need more control and visibility over exactly what changed and what will be restored, you can choose a custom date and time. This presents a timeline that shows you what changes occurred on which date. You can choose to roll back all the changes, or just select files to restore.

Using OneDrive Restore to Recover From a Ransomware Attack

Possibly due to the number of times I repeated my test, eventually the custom date/time picker UI went a little nutty and I was not able to restore all changes using that option. However, the preset restore point “Yesterday” worked just fine.

Using OneDrive Restore to Recover From a Ransomware Attack

Early in my tests I was seeing an error message:

Couldn’t finish restoring. Something went wrong. Please try again. Return to my OneDrive.”

Using OneDrive Restore to Recover From a Ransomware Attack

Because that error only occurred on tests where I was simply renaming files, I assume the issue is that the OneDrive restore process was not able to find a file version history to use for the roll back.

A restore log is left in the root of the OneDrive library with the results of the restore attempt. In the example below, there were eight failures logged due to folders already existing with the same name. The files within each folder that had been encrypted were still recovered though, so the failures that were logged for folder name collisions were not actually a problem.

Using OneDrive Restore to Recover From a Ransomware Attack

Ultimately the OneDrive restore feature seems to work just fine. The UI is a little buggy, but I imagine it will be changed and improved over time as more customers use it and give feedback. The roll out of this feature to Office 365 customers improves the capability of OneDrive to recovery from ransomware attacks, which should also encourage more OneDrive adoption in future.

Photo by Brooke Campbell on Unsplash

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. Nate

    This “restore” feature hardly works worth a darn. I deleted a folder of pictures a few days back, and the change timeline has no record of them… pretty shoddy…

  2. Donna Piffier

    I don’t really understand OneDrive. Is it storage I have free for a year then have to pay for? What about the option for onedrive recovery options for ransom ware. Can’t I recover from that with my if I’ve backed up to a USB, I’m on Windows 10 and I think my version of Microsoft is 2016 Home and Student.

  3. Pedro Pais

    Do you know if this feature will be available for Sharepoint document libraries synced via OneDrive?

    1. Paul Cunningham

      OneDrive libraries are basically SharePoint Online in the backend, so this is essentially a SharePoint capability that is first appearing in OneDrive. I’ve seen comments in the MS tech community from Microsoft folks that the capability will some day come to SharePoint doc libraries as well, but no specific dates or other details.

      1. Pedro Pais

        Thanks, Paul.
        It’s something that’s being bothered me, since I’m not sure how/if we can recover to a previous version of we get a ransomware at one of our synced doc libraries.

Leave a Reply