Steps to Recover Data in Office 365 from Ransomware Attack

Jarvis Flores
Jarvis Flores | Updated On - 27 Jul 2021 |

Read time 7 min

Being a cloud platform, Office 365 is more prone to ransomware attacks, which can directly affect critical information. Even if you take adequate measures to protect the data, you can still end up being a victim of a ransomware attack. Thus, it is crucial to take preventive measures to ensure that your Office 365 data is protected from all types of ransomware attacks.

But what if you become a victim of ransomware? How can you recover its data without losing anything?

In this informative article, we will walk you through the step-by-step process of recovering your data after a ransomware attack. Also, we provide the best practices to stop the internal spread of infection.

What is a Ransomware Attack?

Ransomware uses malware to encrypt systems and data and demands a ransom to decrypt the data. Cybercriminals get a hold on to your data while making it inaccessible for you. In general, attackers ask for payment in cryptocurrency as it cannot be tracked and traced. The ransom demand can be small or huge depending upon the type of data.

It’s not beneficial to pay the ransom, as there is no guarantee that the attackers will decrypt your data. Therefore, you should already take security measures to prevent your data from ransomware attacks.

Steps to Recover Data from Ransomware Attacks

There are multiple ways to defend your data from ransomware attacks. Below, we have mentioned every tested step that can help you recover data from a ransomware attack.

  1. Restore Data from Backup
    The best method to recover data from a ransomware attack is to restore the files from backups. If the backups are also under the ransomware attack, this step is not helpful.
  2. Disable Exchange ActiveSync and OneDrive Sync
    If you suspect that you’re under a ransomware attack, it’s time to take some actions. First of all, disable user mailboxes and ensure that the ransomware doesn’t spread. If you’re connected to Exchange, it’s crucial to disable Exchange ActiveSync for mailboxes. Exchange ActiveSync synchronizes data between systems and online mailboxes, which makes the entire data inaccessible under a ransomware attack.

    Apart from Exchange ActiveSync, you also need to disable OneDrive Sync in Office 365 if you’re upload data to it on a regular basis. Stopping OneDrive sync will allow you to protect your cloud data from being updated by potentially infected devices.

  3. Recover Files on a Cleaned Computer
    Once you remove the malware from your system, you can recover your local files and folders with File History. However, it is crucial to keep in mind a few things, such as:

    • Some ransomware also encrypts the backup versions, which doesn’t allow you to use File History or System Protection to restore files. In this case, you need to back up your data from external devices or drives that are not affected by ransomware
    • If the system folders are synchronized to OneDrive, and you don’t use the latest version of Windows, you cannot use File History with full potentialRecovering files on a cleaned computer will save them from any malware or ransomware attack, and you’ll be able to use it without paying any ransom.
  4. Restore Data from OneDrive for Business
    OneDrive for Business saves the version histories of files. To restore data from OneDrive, you need to access OneDrive for Business from a system that is not under a ransomware attack.

    • Open OneDrive for Business from a different system
    • If you’re signed in with a personalized account, click Settings at the top of the page and then click Options
    • From here, click Restore your OneDrive from the left navigation
    • On the Restore page, select the specific timeline from the drop-down list
    • Now, utilize the activity chart or activity feed to view the recent activities that you want to undo
    • Once you choose the particular timeline or the activity that you want to restore, click the Restore button

    Doing so will undo all the actions and activities you have selected. Version history in OneDrive for Business works well for Office 365 documents like Word, Excel, PowerPoint files.

  5. Remove the Malware from Affected Devices
    To remove malware from the system, use an antivirus to scan all the systems and computers to identify and eliminate the ransomware’s payload. Make sure you check the devices that are synchronizing data. To check your devices, you can use Windows Defender or Microsoft Security Essentials with your Microsoft 365 subscription.
  6. Recover Deleted Emails
    If the ransomware deleted all your emails linked to the Office 365 account, you could quickly recover the deleted items from Exchange Management Shell. To recover your deleted messages in a user’s mailbox, follow the below steps:

    • Go to Exchange Management Shell and navigate to Recipients >> Mailboxes
    • Now, select the mailbox that you want to recover and click on the display name
    • Under More Actions, click Recover Deleted items and provide the values for each or either of the filter criteria from the drop-down lists

    After making the changes, click Apply Filter. This will help you recover recently deleted emails. You can also use Exchange PowerShell to restore the deleted items with the below steps:

    • Connect to Exchange Online PowerShell
    • In the PowerShell, run the following command to search for messages
    Get-RecoverableItems -Identity-SubjectContains -FilterItemType -FilterStartTime -FilterEndTime

    Running the above command will return all the available recoverable deleted messages with the specified subject in your mailbox for the specified timeline.

  7. Restore Data with Compliance and Retention Policies
    Microsoft follows some standard compliance and retention policies for Microsoft Office 365 E3 and higher subscription plans, which mid-level enterprises generally use. The primary advantage of retention policies is that it helps you keep a copy of your files whenever you upload a new document to your account. This way, you can recover your lost data quickly, even if the original file is under a ransomware attack.

    However, there is a limitation to the retention policy; the data backup depends on the storage quota of the subscription plan. If the given quota is full, you need to purchase extra storage, which becomes a little expensive after a certain period. Also, restoring the data files from the compliance center is very time-consuming; you need to make search queries to find and export the correct files for recovery.

  8. Re-enable Exchange ActiveSync and OneDrive Sync
    After cleaning your computer and devices and recovering the data from a backup or other approaches, you can re-enable Exchange ActiveSync and OneDrive sync, which you disabled initially. Re-enabling Exchange ActiveSync and OneDrive sync is crucial to perform your tasks in Office 365. The data will not be synced regularly if you don’t enable the OneDrive sync.

    The above methods are pretty handy if you have maintained a backup for your Office 365 account. If there is no backup available for any item in your Office 365, it’ll not be easy to restore your data manually. The only possible way to protect Office 365 mailbox from ransomware attacks and to restore your Office 365 data is to use an automated solution to quickly retain all the deleted files and folders from Office 365 under a ransomware attack.

Automated Solution – Kernel Office 365 Backup & Restore

Kernel Office 365 Backup & Restore is an advanced utility specially designed to backup and restore your Office 365/Exchange data. It can even backup multiple mailboxes at once without any interruptions. It is integrated with advanced features and capabilities and supports all versions of Exchange, Outlook, and Office 365. Some of the critical features of the tool include:

  • Allows multiple mailbox backup from Exchange Online to Outlook PST
  • Capable of Archive & Shared mailbox backups for enhanced recovery
  • Import PST files to archive mailboxes, shared mailboxes, and user groups
  • Restore data from on-premises/hosted Exchange mailboxes
  • Supports incremental backup if you already have a backup file
  • Provides advanced filtration options to backup specific data and files
  • Supports email backup in multiple formats, including PST, MSG, MHT, HTML, PDF, DOC, DOCX, etc.
  • Save source mailbox hierarchy to a separate folder specified by the user

If you’ve been struggling with Office 365 backup & restore after a ransomware attack, Kernel Office 365 Backup & Restore can help you overcome all your obstacles.

Wrap Up

A ransomware attack can drastically damage your data while making it inaccessible for you in every way possible. And recovering this critical data is crucial for your organization. In such scenarios, you need to follow a strategic approach to restore your data. The above article focuses on some of the most effective ways to restore data from Office 365 after a ransomware attack. It also talks about an alternate solution that can be helpful if the manual approaches are working correctly.