Office 365 Ransomware Recovery

Ransomware detection and recovery of your files

OneDrive (home and personal) OneDrive Mac OneDrive Windows
Ransomware detection alerts you when your OneDrive files are being attacked and guides you through the process of restoring them. Ransomware (also known as malware) is a malicious program that blocks access to your files and demands payment.Microsoft 365 will notify you if it detects a ransomware infection on your device. You’ll also receive an email from Microsoft 365. Your first notification and recovery are free if you don’t subscribe. See available plans.

  1. Click the link in the notification or the email, or go to the OneDrive website, and we’ll walk you through the recovery process, which includes:
  2. Confirm your files are infected.
  3. Clean all your devices.
  4. Restore your OneDrive.

Steps to ransomware detection and recovery on the OneDrive website

If Microsoft 365 detects a ransomware infection, you will see the Signs Of Ransomware Detected screen when you visit the OneDrive website. You might have to sign in before you can view this screen. To begin, click the Start button.

Step 1: Confirm that your files have been infected

Are these files right? On the screen, we’ll show some suspicious files. Ransomware is likely to have compromised the files if they don’t look right or have the wrong suffix.

  1. To open a file in the online viewer, select it. This will not download the file to your computer.
  2. If the file is not visible, you can download it to your computer so that you can open it.
  3. For as many files as you wish to view, repeat steps 1 and 2.
  4. To proceed to the next step of the ransomware recovery process, choose My files infected. If your files look normal and you are confident that they are not infected by ransomware then select My Files are OK.

You can choose My files were ok to exit ransomware recovery and return to OneDrive as normal.

Step 2: Clean all your devices

You’ll find instructions to clean all devices that you use OneDrive on the Clean All Your Devices screen. It’s essential to run antivirus software before you restore files. Your files may become encrypted again if you restore them.

  1. Follow the instructions to find the Windows version you are using.
  2. For all other devices that you use OneDrive, repeat step 1.
  3. Once you have completed the steps, go back to the Clean all devices page on OneDrive and select one of the buttons:
  • All of my devices are clean. Once you have finished cleaning your devices, click this button to continue the recovery process. Next, you can restore your files from OneDrive.
  • My devices are not being cleaned by Antivirus. After you have tried to clean your devices but failed, click this button. The Reset devices page will now open. This page contains information about how to reset devices.

Follow the links according to your operating system. After you have completed cleaning and resetting all devices, return to OneDrive to go to the Reset devices page. Select the My devices are all clean/reset the box, then click OK.

Step 3: Restore your files using OneDrive

The final step after all your devices are clean is to restore your OneDrive.

This step will allow you to choose the date and time that ransomware was detected.