Provide Ransomware detection and recovery
We are seeing an increase in this cases of cryptowall and ramsonware, were users see their computers infected with this virus.
The virus will encrypt all user files (jpg, pdf, xlsx,docx, etc.) except system files.
It would be very helpful, to have the option to have OneDrive files restored to a previous date, even if that option was only available at a OneDrive Support level.
If this option is not possible, due to server space to store all info in duplicated, it would be easier from the technical side to block .ccc, .micro, and other known file extensions in OneDrive.
This would preserve the integrity of the user's files stored in OneDrive and add an extra layer of user's files stored in OneDrive.
Thanks,
Alex

Big update — Today we’re rolling out ransomware detection & recovery for Office 365 Home & Personal subscribers. We can now detect ransomware attacks and help you restore your OneDrive to a state before files were compromised. If an attack is detected, you will be alerted through an email, mobile, or desktop notification and guided through a recovery process where you’ll be able to restore your files to the state they were in before they were compromised.
To enable the recovery process, we’re bringing over the Files Restore feature from OneDrive for Business to your personal OneDrive account. Files Restore allows you to restore your entire OneDrive to a previous point in time within the last 30 days. In addition to helping recover from an attack, Files Restore helps with an accidental mass delete, file corruption, or other catastrophic event.
For more information, check out our blog post here — https://blogs.office.com/en-us/2018/04/05/defend-yourself-from-cybercrime-with-new-office-365-capabilities/
71 comments
-
Colin commented
Annoyingly the previous versions of files is not available via the API either, as it would be trivial to write a script to restore the previous n - 1 versions, or the previous day's state.
-
Mehmet KIZILASLAN commented
-
Simon Limberg commented
Also add for entire OneDrive root folder, for full restore to previous days (in case of ransomware attacks and wipers etc).
-
Simon Limberg commented
Yes, very important! Please add folder versioning.
-
Salvatore commented
Yes, very good idea
-
Tomas Szigeti commented
Blocking file extensions as proposed is kind of working, yes it blocks the file but there is a limit in how many characters there could be in the blocking file update routine, Microsoft had looked into the matter and told me that it is by design and they can not change that behaviour now so you can't block them all, you have to choose with files to block from the lists on internet. Choose wisely my dear padwan.
-
Johan Bennink commented
Doesn't onedrive keep versions of files, so an option to roll back to a specific date for all files or an entire folder or a single file would be enough to restore your files? Or am I mistaken in thinking onedrive stores previous versions of my synced files?
-
Jarrod commented
+infinity I just dealt with a client who lost everything thinking he had the right backups in place. All it took was one pc to encrypt the files and sync with one drive and everybody automatically got hit. Local network data was restored but they have practically lost everything cloud based
-
Yawhann Chong commented
This is the next logical step to versioning, I believe. You got my 3 votes!
-
Anonymous commented
you delivered file versioning for all file types. This gives good protection against ransomware and accidental modification.
However to be usable it is necessary that I can restore a whole directory - I have thousands of files and a 1 by 1 approach will not work.
-
Rodolfo commented
Is it possible to rollback to certain date ?
-
MS fan commented
How in the world could this STILL not be a feature, in these days of crytpo ransomware?
What is the point of backup that does not protect against ransomware, in 2017?
PLEASE Microsoft! -
Anonymous commented
With the newly announced Files on Demand feature, if a participating device is infected, does the user's life end? could the user be alerted to suspicious activity and offered a rollback to an automatic backup? (heck, versioning would be handy on more things than just docs)
-
Anonymous commented
Detecting a ransomware event as suspicious activity would be helpful, and offering a one-click rollback would give peace of mind beyond the current guidance of "back up onedrive to an external drive regularly"
-
Anonymous commented
This is going to be particularly important with the newly announced Files On Demand feature
-
Andreas commented
Enabling users to block critical file extensions like possible in OneDrive Business would really significantly improve security. I am seriously concerned about Ransomware and this option would give me a bit more peace of mind.
-
Anonymous commented
Also restoring all files from a previous healthy state would be very helpful.
-
MERRY commented
I've the Identical problem
[1] How sanitise One Drive (so freeing OneDrive from the MERRY virus)?
[2] (Nice to have) How to un-encrypt docs encrypted with the MERRY virus?
(But of the two [1] is the VITAL one)
-
Dan Tshin commented
It would be good to be able to have batch (or selective) restore functionality.
-
Nathan commented
With Ransomware being such an issue these days and Microsoft always touting how important security is, I am really surprised this is not a higher priority. My CIO is always complaining about the lack of security around OneDrive for Business and why traditional storage is better.
For people that deploy OneDrive in the enterprise there is a few things preventative measure you can do to limit ransomware's ability to spread. These are not silver bullets and with ransomware changing so rapidly they might need tweaking to stay relevant.
1) block known ransomware extensions within OneDrive Admin portal. Microsoft recently released an admin portal for OneDrive (Office 365) and within it you can block any file extension you name. With the help of google you can find update list with ransomware file extensions.
2) This option is only for people that use Cloud App Security, Within Cloud App Security you can build policies based off user behavior. One thing I noticed with a verison of locky is the first thing it does is renames all the files. So I built a Cloud App Security policy that says if a user renames 5 files within a minute, send notification to IT Admins and suspend user.
Hope this helps.