Provide Ransomware detection and recovery
We are seeing an increase in this cases of cryptowall and ramsonware, were users see their computers infected with this virus.
The virus will encrypt all user files (jpg, pdf, xlsx,docx, etc.) except system files.
It would be very helpful, to have the option to have OneDrive files restored to a previous date, even if that option was only available at a OneDrive Support level.
If this option is not possible, due to server space to store all info in duplicated, it would be easier from the technical side to block .ccc, .micro, and other known file extensions in OneDrive.
This would preserve the integrity of the user's files stored in OneDrive and add an extra layer of user's files stored in OneDrive.
Thanks,
Alex

Big update — Today we’re rolling out ransomware detection & recovery for Office 365 Home & Personal subscribers. We can now detect ransomware attacks and help you restore your OneDrive to a state before files were compromised. If an attack is detected, you will be alerted through an email, mobile, or desktop notification and guided through a recovery process where you’ll be able to restore your files to the state they were in before they were compromised.
To enable the recovery process, we’re bringing over the Files Restore feature from OneDrive for Business to your personal OneDrive account. Files Restore allows you to restore your entire OneDrive to a previous point in time within the last 30 days. In addition to helping recover from an attack, Files Restore helps with an accidental mass delete, file corruption, or other catastrophic event.
For more information, check out our blog post here — https://blogs.office.com/en-us/2018/04/05/defend-yourself-from-cybercrime-with-new-office-365-capabilities/
71 comments
-
Anonymous commented
Perhaps you should stop thinking about it and do something. My company just got hacked and Super MIcrosoft can't recover our files from One Drive.
Perhaps you should employ the scumbags who spend their time destroying other people's hard work. They seem smarter than you! -
Sunshine commented
Ransomware is really hard to deal with once infected. It will encrypt your important files and extort lots of money if you want the files back. See the following guide to learn how to restore your encrypted files and how to remove the ransomware
http://www.trymytools.com/how-to-remove-spora-ransomware-and-recover-encrypted-files/
https://www.bleepingcomputer.com/virus-removal/threat/ransomware/ -
Jens Skov commented
I have been told that support is able to do a restore of files to an earlier point in time, in case of ransomware infection.
-
marya jacklon commented
Remove Trojan.Kotver!gm2 Completely From PC
Name – Trojan.kotver!gm2
Type – Trojan
Risk – High
Infection – Severe
Threat Length – Varies
Global Distribution – World Wide
Detection – Difficult
System Infected – Windows XP, Vista, 7, 8, 8.1 and the latest Windows 10
Removal – Easy Through Malware Removal Tool
Trojan.kotver!gm2 has been found as a very harmful and noxious computer virus. It belongs to the famous and pernicious Trojan family. It has been reported as a very intrusive and destructive virus infection which is capable to infect all Windows based Operating Systems. Once getting into your machine, this perilous virus infection will firstly disable your anti-virus and firewall programs to avoid its detection or removal. if you want to remove Trojan.kotver!gm2 Virus from PC then read this guide:- http://www.howtoremovepcvirus.com/remove-trojan-kotvergm2-completely-pc-easy-removal-guide -
Esteban Herrera Pérez commented
Does Microsoft backup the Onedrive user´s folders in order to have recovery points in case of being victim of virus attacks? Last wednesday I iwas attacked by Merry Christmas ransomware, through asking download a new font to make readable documents in web site www.ceret.cl. Due to the attack, most of my files in Onedrive are now encrypted. I need to recover mainly my images folder, because it had last 3 years of my familie`s pictures.
-
Anonymous commented
In case of hijack all files which are being synced will be encrypted and useless. It would be a MAJOR improvement when Microsoft can perform a restore of all files and folders from an integral backup, made by Microsoft. Ideally the user should have the choice to restore to the files of yesterday, the day before yesterday, a week ago, a month ago. Please Microsoft add this service to Onedrive.
-
Jason commented
Yes please do this!
-
Anonymous commented
This should have been acted upon immediately. The entire reason one uses the security of a cloud bases server is to protect their files. I have lost years of work (thesis) by stupidly thinking that by investing in one-drive my work would be safe from these type of threats. What was the point? Microsoft should have know better and be prepared for this type of attack on their system.
-
Lisa Jeffery commented
I have a ransomware, and my onedrive files are crypted. Is there a rollback? Can it be fixed?| Thanks, Lisa
-
Craig Turnbull commented
We wont be moving any further customers to OneDrive for Business until this major hole in the product is filled. A 22,000 file limit and no way to restore an entire folder to a previous version. In the event of ransomware are we expected to sit and restore every one of those files individually?
OneDrive just isn't worth the risk of that.
-
Anonymous commented
I just had a CERBER3 attack on my PC and to my dismay even my OneDrive files were encrypted and made unusable.
It was very disappointing to learn there was no security check at Microsoft level to prevent my cloud version from being infected and no way to restore my files. If only Microsoft had run a scan and stopped that life would have been so much easier.
-
George Timchal commented
My computer was attacked by the CERBER ransomware. I agree with others, there should have been a layer of protection in O365 or at least the ability to restore previous versions of files.
-
aidan o driscoll commented
Clients recently attacked by Locky variation called ZEPTO. With respect to ONEDRIVE i have always been of the opinion that their should be a way of password protecting ( or something similar ) the access to ONEDRIVE in Windows Explorer. And also that this is timed.
Note I said an option to do this. Up to user after that. In the Onedrive Android app you can add a PIN CODE to the app. Helps as an extra layer of security if you lose your phone.
Problem at the moment is if your PC gets attacked by ransomware it will encrypt everything, all your data INCLUDING crossing over to the totally open access to your Onedrive folders. Same goes for any network shares.
Sod this belief that ONEDRIVE has to be a seamless part of your PCs storage .. I think many woould be delighted if ONEDRIVE was where you could go to restore AFTER you got encrypted
-
Ed ONeill commented
Extended backup support of this type is a monetizable feature. Just like insurance, I would pay for this capability as a "premium" option.
-
Jonathan Orroi commented
Do a search on the Internet and you will find powershell scripts to revert back to a previous version for all your files. Ask an admin for help if needed. An option for it in the interface and detection of a suspicious pattern with a popup to suggest the rollback would be great.
-
SoBayCal commented
When ransomware locks up all your files on your desktop computer it recognizes the OneDrive and locks up all those files as well. OneDrive then immediately starts to sync the ransomware files to the cloud and all of your other computers and devices.
All of your files are lost on your desktop.
You can restore online OneDrive files one by one by following a procedure to restore the file to a previous version. But if you have hundreds or thousands of files it will take hours or days to clear your files of the RansomWare.
It's 2016 Microsoft - your systems can recognize a RansomWare infection spreading from the desktop to our online files (all the users files start to sync at once that's not a red flag!?!?! Hundreds of files all of sudden syncing is not a red flag that ransomware or another virus has occurred??).
Come on Microsoft please help your users. RansomWare is here but you can help us prevent the terrible nightmare of losing all of our files.
-
Out the back commented
Two points: Crypto may encrypt your files using any extension or multiple extensions .locky2 *.cryp3
Crypto ransomware may also choose to encrypt you system files and only allow your system drive to boot after paying to unlock your boot drive.The first thing crypto ransomware does is it trys to delete the shadow copies, the backups would be the next hotspot to be removed. If the user can clear OneDrive copies then ransomware will unfortunately do that too. Preventing privilege escalation to stop the deletion of VSS and server backups is the clear responsibility of domain admins.
As you know Locky scrambles all files that match a long list of extensions, including videos, images, source code, and Office files.'Locky does not have use a single *.locky extension.
Locky even scrambles wallet.dat, your Bitcoin wallet file, if you have one.
In other words, if you have more BTCs in your wallet than the cost of the ransom, and no backup, you are very likely to pay up. (And you’ll already know how to buy new bitcoins, and how to pay with them.)
I think behaviour monitoring is a successful method of stopping ransomware..the a/v needs to watch for suspicious encryption of files and or deletion of VSS and backups.
-
[Deleted User] commented
Onedrive administrator interface must have a tweak to accept or not some extensions. And, if a cryptolock pass through, an option to make a RESTORE ALL from a past date.
-
Jason commented
I agree with this whole heartedly. Crypto locker is a constant problem for businesses. Microsoft needs to tackle this from both approaches. They need to make it easier to do mass restores when a user's content has been impacted. And they should use their cloud intelligence features to learn the behavior types to recognize when a user's client is starting to do mass file updates to prevent the uploads to the cloud. That would preserve the cloud as a clean source to restore after the local device has been cleaned.
-
Anonymous commented
Hey *******.This setup caused everyone to be using my account under Jake Davila Network Service.Not the same as Onedrive. I am a Micsoft Owner and Admin. I tired of the errors you have setup so u look important. Even SNAKE210Tx@outlook.com is on Azure.