• facebook
  • twitter
  • linkedin

Read time 7 minutes

Summary: In this article, you’ll learn how to recover your Office 365 data after a ransomware attack. It discusses various methods such as restoring from backups, disabling syncing to prevent further spread, recovering files, and more. Additionally, it introduces an automated solution, Kernel Office 365 Backup & Restore, as a reliable option for data recovery.

As a cloud platform, Office 365 is susceptible to ransomware attacks, posing a direct threat to critical information. Despite implementing robust data protection measures, the risk of falling victim to ransomware remains. Therefore, it is imperative to proactively safeguard your Office 365 data against all forms of ransomware attacks.

But what if you become a victim of ransomware? How can you recover its data without losing anything?

In this informative article, we will guide you through a comprehensive step-by-step process for data recovery following a ransomware attack. Additionally, we will offer best practices to prevent the internal spread of infection.

What is a Ransomware Attack?

Ransomware employs malicious software to encrypt systems and data, subsequently demanding a ransom for decryption. Cybercriminals gain control of your data, rendering it inaccessible. Typically, attackers request payment in cryptocurrency for its untraceable nature, with the ransom amount varying based on the data’s significance.

Paying the ransom is not advisable, as there’s no assurance that the attackers will provide the decryption key. Therefore, it’s essential to proactively implement security measures to safeguard your data from ransomware attacks.

How to Recover Data from Ransomware Attacks?

There are several methods to protect your data from ransomware attacks. Below, we outline each proven step that can assist in recovering data after a ransomware attack.

  1. Restore Data from Backup
    The best method to recover data from ransomware attack is to restore the files from backups. If the backups are also under the ransomware attack, this step is not helpful.
  2. Disable Exchange ActiveSync and OneDrive Sync

    If you suspect a ransomware attack, it’s essential to take immediate action. Firstly, disable user mailboxes to prevent the ransomware from spreading further. If you’re connected to Exchange, it’s crucial to disable Exchange ActiveSync for mailboxes. Exchange ActiveSync syncs data between systems and online mailboxes, rendering all data inaccessible during a ransomware attack.

    Apart from Exchange ActiveSync, you also need to disable OneDrive Sync in Office 365 if you’re upload data to it on a regular basis. Stopping OneDrive sync will allow you to protect your cloud data from being updated by potentially infected devices.

  3. Recover Files on a Cleaned Computer

    Once you remove the malware from your system, you can recover your local files and folders with File History. However, it is crucial to keep in mind a few things, such as:

    • Some ransomware also encrypts the backup versions, which doesn’t allow you to use File History or System Protection to restore files. In this case, you need to back up your data from external devices or drives that are not affected by ransomware
    • If the system folders are synchronized to OneDrive, and you don’t use the latest version of Windows, you cannot use File History with full potentialRecovering files on a cleaned computer will save them from any malware or ransomware attack, and you’ll be able to use it without paying any ransom.
  4. Restore Data from OneDrive for Business

    OneDrive for Business retains version histories of files. To restore data from OneDrive, access it from a system that is not affected by the ransomware attack.

    • Open OneDrive for Business from a different system
    • If you’re signed in with a personalized account, click Settings at the top of the page and then click Options
    • From here, click Restore your OneDrive from the left navigation
    • On the Restore page, select the specific timeline from the drop-down list
    • Now, utilize the activity chart or activity feed to view the recent activities that you want to undo
    • Once you choose the particular timeline or the activity that you want to restore, click the Restore button

    This action will reverse all the selected actions and activities. OneDrive for Business’s version history feature is particularly effective for Office 365 documents such as Word, Excel, and PowerPoint files.

  5. Remove the Malware from Affected Devices
    To eliminate malware from your system, employ an antivirus program to scan all systems and computers and identify and remove the ransomware’s payload. Be sure to inspect devices that synchronize data. You can utilize Windows Defender or Microsoft Security Essentials as part of your Microsoft 365 subscription to check your devices.
  6. Recover Deleted Emails

    If the ransomware has deleted all your emails associated with the Office 365 account, you can promptly recover the deleted items using the Exchange Management Shell. To retrieve your deleted messages in a user’s mailbox, follow these steps:

    • Go to Exchange Management Shell and navigate to Recipients >> Mailboxes
    • Now, select the mailbox that you want to recover and click on the display name
    • Under More Actions, click Recover Deleted items and provide the values for each or either of the filter criteria from the drop-down lists

    After making the changes, click Apply Filter. This will help you recover recently deleted emails. You can also use Exchange PowerShell to restore the deleted items with the below steps:

    • Connect to Exchange Online PowerShell
    • In the PowerShell, run the following command to search for messages
    Get-RecoverableItems -Identity-SubjectContains -FilterItemType -FilterStartTime -FilterEndTime

    Running the above command will return all the available recoverable deleted messages with the specified subject in your mailbox for the specified timeline.

  7. Restore Data with Compliance and Retention Policies

    Microsoft implements standard compliance and retention policies for Microsoft Office 365 E3 and higher subscription plans, commonly utilized by mid-level enterprises. Retention policies offer a significant advantage by automatically preserving copies of your files each time you upload a new document to your account. This ensures a swift recovery of your data, even in situations where the original file falls victim to a ransomware attack.

    Nonetheless, it’s important to note that retention policies have their limitations. Data backups are contingent on the storage quota of your subscription plan. When this quota is exhausted, acquiring additional storage can become costly over time. Additionally, the process of restoring data files from the compliance center can be quite time-consuming, involving the need to craft search queries to locate and export the precise files for recovery.

  8. Re-enable Exchange ActiveSync and OneDrive Sync

    Once you have thoroughly cleaned your computer and devices and successfully recovered your data from backups or other methods, it’s essential to re-enable Exchange ActiveSync and OneDrive sync, which you had initially disabled. This step is crucial for the smooth execution of your tasks in Office 365. Failing to enable OneDrive sync may result in irregular data synchronization.

    The methods mentioned above are quite effective if you’ve maintained a backup for your Office 365 account. However, if you don’t have a backup available for any item in your Office 365, manual data restoration becomes challenging. In such cases, the only viable solution to protect Office 365 mailbox from ransomware attacks and recover your Office 365 data is to employ an automated solution that swiftly retrieves all deleted files and folders from Office 365 in the event of a ransomware attack. You can find more information on protecting your Office 365 mailbox from ransomware attacks here.

Automated Solution

Kernel Office 365 Backup & Restore is a sophisticated utility crafted for the purpose of backing up and restoring Office 365 data. It excels in efficiently backing up multiple mailboxes simultaneously, without disruptions. This tool boasts advanced features and comprehensive compatibility, supporting all versions of Exchange, Outlook, and Office 365. Key highlights of this tool include:

  • Allows multiple mailbox backup from Exchange Online to Outlook PST
  • Capable of Archive & Shared mailbox backups for enhanced recovery
  • Import PST files to archive mailboxes, shared mailboxes, and user groups
  • Restore data from on-premises/hosted Exchange mailboxes
  • Supports incremental backup if you already have a backup file
  • Provides advanced filtration options to backup specific data and files
  • Supports email backup in multiple formats, including PST, MSG, MHT, HTML, PDF, DOC, DOCX, etc.
  • Save source mailbox hierarchy to a separate folder specified by the user

If you’ve been struggling to backup & restore Office 365 after a ransomware attack, KernelApps tool helps you overcome all your obstacles.

Wrap Up

A ransomware attack can drastically damage your data while making it inaccessible for you in every way possible. And recovering this critical data is crucial for your organization. In such scenarios, you need to follow a strategic approach to restore your data. The above article focuses on some of the most effective ways to restore data from Office 365 after a ransomware attack. It also talks about an alternate solution that can be helpful if the manual approaches are working correctly.