Sharepoint Online Ransomware Protection

Protect your Microsoft Office 365 data against Ransomware

In today’s world, ransomware is the most dangerous cybersecurity threat for businesses. A new study by CyberEdge found that 62 per cent of enterprises were attacked by ransomware in 2020, based on a survey of 1200 information technology professionals. The ransom was paid by 57 per cent of the companies who were affected.

You might be thinking, “Well, at the very least they got their data back.” Unfortunately, paying the ransom does not ensure that your data will be returned to you promptly. A startling 33 per cent of the companies that paid the ransom were still unable to retrieve their information.

SharePoint and OneDrive both include several security features to keep your files safe. These solutions include versioning, first- and second-stage discard bins, and Compliance Retention Policies, which are available in various Microsoft 365 plans.

OneDrive even has built-in detection for ransomware, and it will notify you if a large number of files are changed, allowing you to restore them as quickly as possible.

security against ransomware on one drive

As a result, while storing your files online in OneDrive or SharePoint may seem safe due to versioning and recycle bins, you’re still vulnerable to data loss if you don’t have a proper backup solution in place as well. It is one of the problems that some malware is capable of removing the version history (by copying the files and deleting the originals), making it difficult to recover deleted files.

When it comes to data protection in Office 365, a lot of users rely only on file versioning and the first- and second-stage recycling bins, which are both optional. The functionality of these programmes is excellent for the occasional restore operation, but when it comes to recovering a large number of data, you will quickly encounter restrictions.

Have you ever attempted to restore an entire document library from the first-stage recycle bin? If so, what was your experience?

It is not possible to just choose the folder and push the restore button. You will also need to select all of the files and subfolders within the folder. It is possible to speed up the restore procedure in these situations by using PowerShell, but it will still be time-consuming and prone to errors.

How can we safeguard our data in Office 365 from being encrypted by ransomware, is the query? When it comes to recovery, what options do we have available to us?

What is the process by which ransomware infects files in OneDrive or SharePoint?

Take a closer look at how files stored in OneDrive or SharePoint can become infected before we look at what you can do to protect yourself from ransomware attacks.

The majority of individuals believe that files kept on the internet cannot be contaminated. The problem, on the other hand, is that virtually all of the OneDrives are synced to a single local device. Users synchronise their document libraries with their mobile devices, even when using SharePoint, as we have seen in the past.

Although locally stored files are more convenient to work with, they are also more vulnerable to ransomware attacks.

When a device is infected with ransomware, any files that are encrypted are simply synced back to OneDrive or SharePoint, where they remain secure.

There are also other ways to infect files.

Even if you don’t sync your data, ransomware can still encrypt your files in OneDrive or SharePoint if they are not properly protected. Following a successful phishing attempt, attackers can obtain access to your Microsoft 365 environment, encrypting all of your OneDrive files in the process.

Another method for an attacker to acquire access to your data is through the use of malware or phishing websites that ask for your permission to access your OneDrive.

Recovery from Ransomware in Office 365

When you are infected with ransomware, the first thing you should do is disable OneDrive sync on all of your machines and unplug the infected computer from the network immediately. It is possible that deactivating the OneDrive sync will allow you to recover the infected files from the other (not yet affected) machines.


First and foremost, you could try to restore your files by reverting to a prior version of the file that contained the corrupted data. The difficulty with SharePoint is that you can’t do this for a whole folder at once; instead, you must do it for each file.

You could, of course, try to accomplish this with PowerShell. The PnP library does contain a cmdlet that can be used to roll back a file’s version, but it will require you to first write and test a script.

It is a little easier now that OneDrive is available. You have the option to restore your entire OneDrive for up to 30 days:

  • Open OneDrive in a web browser and navigate to the settings page.
  • Choose Restore your OneDrive from the drop-down menu.
  • Choose a date and then click Restore.
  • onedrive should be restored
  • Backups created by Microsoft

If you have a SharePoint site that has been compromised by ransomware and you don’t have a third-party backup, your only real choice is to contact Microsoft and ask if they can restore the site for you.

Microsoft creates a daily backup of your data and retains it for 14 days after that. The best choice if you are trying to recover from a ransomware attack and do not have access to a third-party backup service is to use this.

For data recovery, you will need to file a support request with Microsoft; it may take up to 48 hours or even longer in some cases before your data can be recovered and restored. Another disadvantage is that Microsoft only restores the entire site, so you won’t be able to restore just a particular document library.

It’s important to remember that those backups are not guaranteed: Microsoft even recommends that you use a third-party backup solution to keep your information safe.

Keeping Records in Compliance with Retention Policies

The ability to set retention policies is only available on Microsoft Office 365 E3 and above plans, so this functionality isn’t available to everyone. When a file is generated or updated, a copy of the file is stored by the retention policy. This makes it possible to always locate and restore the original file, as well as any modifications made to it.

When compared to a backup system that can only take several snapshots each day, the advantage of retention policies is that every change is preserved. It is, therefore, an ideal backup option in theory, but it does have some drawbacks in practice.

Your storage quota will be reduced by the amount of data that is maintained by retention policies. If you intend to keep your data for more than a few years, the additional storage that you will need to purchase will become prohibitively expensive.

The other issue is the process of recovering the files. In the compliance centre or on a SharePoint site, you can’t just pick a folder and start working on it. It will be necessary to create search queries to select and export the correct files that you require for recovery purposes.

If you have located the correct set of files, you will only be able to download the files and will be required to manually upload them again later.

Restoring files from the compliance centre can be a time-consuming process that should only be used as a last resort in extreme circumstances.

Protection against ransomware in Microsoft 365

A multi-layered approach will be required to safeguard your data against ransomware. To begin, educate your users on how to identify phishing emails and how to report them to you. When it comes to ransomware infestations, it is the end-user who is the intermediary.

The majority of ransomware is distributed via phishing emails that contain links to harmful documents or websites. Educating your users on how to identify phishing emails regularly is the first and most important step. When I receive phishing mail, I immediately share it on Yammer, pointing out how others may identify it.

Anti-Spam Email Protection

As previously stated, the majority of attacks begin with phishing emails. In Exchange Online, we may use mail flow rules to prevent harmful attachments from being sent. Simply establish a new rule and specify that all communications containing executable content should be blocked.

ransomware protection for SharePoint

I also prefer to restrict the delivery files to the general mails (like info or invoice mailboxes). These mailboxes are always inundated with spam and phishing emails, so if at all feasible, simply block all emails that contain file within them.

If you want to take your Exchange Online security even further, adding Defender for Office 365 is a fantastic option. This enhances security against malicious URLs and hazardous attachments, as well as enhanced zero-day protection, among other benefits.