Ransomware detection and recovering your files
When your OneDrive files are targeted by ransomware, you will receive an alert and be guided through the process of restoring your documents. Ransomware is a sort of harmful software (malware) that encrypts your data and prevents you from accessing them unless you pay a ransom.
The first time Microsoft 365 identifies a ransomware assault, you’ll receive a notification on your device, followed by an email from the company itself. If you are not already a subscriber, your first notification and recovery are both complimentary. View the various available plans.
We’ll lead you through the recovery process, which involves the following steps: Click on the link in the notification or the email, or go to the OneDrive website, to begin.
Verify that your files have been compromised.
All of your electronic equipment should be cleaned.
Restore access to your OneDrive.
Microsoft’s Ransomware Detection email, as seen on a computer screen.
On the OneDrive website, you may find instructions on how to detect and recover from ransomware.
When you visit the OneDrive website, you will see the Signs of ransomware detected page if Microsoft 365 has identified a ransomware assault on your computer (you might need to sign in first). To get started, click on the Get started button.
Steps to the ransomware detection and recovery process on the OneDrive website
Step 1: Confirm that your files are compromised with malware.
Do these files appear to be correct? screen, we’ll show you several files that appear to be suspicious. Ransomware has most certainly compromised them if they have the incorrect name or suffix, or if they don’t appear to be what they should be when you open them from the list.
Step 1: Confirm your files are infected
Screenshot of the Do these files appear to be in the correct format page on the OneDrive website.
Choose a file to open in the online viewer by clicking on it. (This will not result in the file being downloaded to your device.)
If the file isn’t visible, you’ll be given the option to download it to your device so that you may access it.
Steps 1 and 2 should be repeated for as many files as you like to view.
If your files have been affected by ransomware, click on My files have been infected to proceed to the next stage in the recovery process. Otherwise, if your data appear to be in good condition and you are convinced that they are not infected with ransomware, pick My files to appear to be in good condition.
If you select My files are unharmed, the ransomware recovery process will be completed and you will be able to resume using OneDrive as usual.
Step 2: Clean all your devices
When you click on the Clean all your devices button, you’ll get instructions for cleaning all of your devices that are connected to OneDrive. It’s critical to apply anti-virus software to clean all of your devices before attempting to recover your contents from backup. If you don’t, your files may become encrypted again when you try to restore them.
On the OneDrive website, a screenshot of the Clean all your devices screen is shown.
Choose the link that corresponds to the Windows version that you are currently using and follow the steps in the article.
Step 1 should be repeated for all of the additional devices on which you utilize OneDrive.
Continue with the processes outlined in the articles and return to the Clean all your devices page on the OneDrive website, where you can choose from one of the following buttons:
All of my equipment is in good working order. When you’ve finished cleaning up all of your devices and are ready to move on to the next step of the recovery procedure, which is to restore your files from OneDrive, click this button to begin the process.
My antivirus software is unable to clean all of my gadgets. After you’ve attempted to clean your devices and discovered that you were unable to clean all of your devices for whatever reason, click on this button to proceed. As a result, you’ve arrived at the Reset devices page, which contains instructions on how to reset your devices.
Step 3: Restore your files from OneDrive
On the OneDrive website, a screenshot of the Rest devices interface.
Follow the instructions for your operating system by clicking on the appropriate link. When you’ve finished cleaning or resetting all of your devices, return to the OneDrive website to return to the Reset devices page, check the box that says “My devices have been cleaned or reset,” and then click OK.
Step 3: Restore your OneDrive files to your computer
The next step, once all of your devices have been thoroughly cleaned, is to restore your OneDrive backup.
When you get to this phase, the time and date when the ransomware was discovered will be automatically selected for you by the system.