Effective Strategies for Recovering from an Office 365 Ransomware Attack

Data recovery and remediation are the most expensive and damaging aspects of a ransomware attack – and can rack up to an excess of $1million. Even after ransom payment, only 65% of data is restored. The most effective way to minimize the damage and recover from a Microsoft Office 365 ransomware attack is to restore your business-critical data ASAP. In this blog, we focus on that very aspect, with an overview of three native ways to recover your Microsoft Office 365 data from a ransomware attack – using the Recycle Bin/Preservation Hold, Retention/Archival policies, and Microsoft Advanced Threat Protection.

Microsoft offers some native options for Microsoft ransomware protection as detailed below.

#1 Recover From a Microsoft Office 365 Ransomware Attack Using Deleted Items and Recoverable Items / Preservation Hold Library

Recover using the Deleted Items and Recoverable Items

The first place you should look for your deleted or lost files is the Deleted Items or Recoverable Items folder. If you accidentally deleted a file or folder, it will likely be here. Customers may retrieve items from a mailbox after an accidental or intentional early deletion with single-item recovery and mailbox retention. Mail messages that have been deleted within 14 days by default can be reverted, but not beyond 30 days.

Watch how to recover deleted emails in Outlook using the Deleted Items and Recoverable Items folders.

Recover using the Preservation Hold Library

You can also check if any of your messages are being preserved in a Preservation Hold Library. This happens when an administrator puts a hold on mailboxes, sites, or public folders to preserve them for eDiscovery or litigation purposes. To check for Preservation Holds, follow these steps:

1. Navigate to Office 365 admin center > Admin centers > Exchange. Or go to Settings > View all Outlook settings > Mail > Retention policies.
2. Check under the Holds section for any active preservation holds. If there are any, click the name of the hold to open it and view more details.
3. Click View mailboxes to see which mailboxes are on hold and how many items are being held in each mailbox.
4. If you find what you’re looking for, you can copy the data to another location, and then delete the original mailbox or public folder.

#2 Recover Using Microsoft Office 365 Retention/Archival Policies

If you can’t find what you’re looking for in the Recycle Bin or Preservation Hold Library, your next step should be to check Microsoft Office 365’s retention/archival policies. These retention policies within the Exchange Online service allow for customized configurations that include:

• Configurable periods of retention to be applied (1yr/10yrs+)
• Copy-on-write protection
• The ability for the retention policy to be locked such that “immutability” can be achieved.

If you already have a Microsoft Office 365 Retention Policy in place, follow these steps to recover your Microsoft Office 365 data:

1. Navigate to the Office 365 admin center.
2. Click Admin centers > Exchange. Or go to Settings > View all Outlook settings > Mail > Retention tags and policies.
3. Check under the Retention tags and policies section for any active retention tags or policies. If there are any, click the name of the tag or policy to open it and view more details.
4. Click View mailboxes to see which mailboxes are being retained and how many items are being held in each mailbox.
5. If you find what you’re looking for, you can copy the data to another location, and then delete the original mailbox or public folder.

#3 Recover Microsoft Office 365 Data Using PowerShell

Watch how to recover deleted emails in Outlook using PowerShell

#4 Provisions in Microsoft Advanced Threat Protection or Microsoft Defender for Office 365

If you can’t find what you’re looking for in the Recycle Bin, Preservation Hold Library, or retention/archival policies, your next step should be to check Microsoft Office 365’s Advanced Threat Protection (ATP) or Microsoft Defender for Office 365. These features have various provisions that can help with data recovery. For example, ATP includes the ability to:

• Scan email traffic and attachments for malicious content
• Detect ransomware activity and other threats
• Create alerts and reports about malicious threats
• Prevent ransomware and other malicious files from being downloaded or sent.
• Advanced protection such as sandboxing is available in Microsoft Advanced Threat Protection or Microsoft Defender for Office 365, however, it is only available in premium plans.

For additional pointers on native Microsoft recovery, read this blog for best practices for Microsoft account recovery.

#5 Recover your Microsoft Office 365 Data with CloudAlly

Mitigate the risks of ransomware and ensure business continuity with CloudAlly Backup which comprehensively protects your Microsoft 365 data from loss with immutable, air-gapped, encrypted backups and unlimited point-in-time recovery. 

Watch how easy it is to recover Microsoft Office 365 data after a ransomware attack with CloudAlly.

• Immutable backups with Storage-lock: All of our backups are kept in Amazon S3 immutable storage. We also provide data backup with S3 Object Lock for sensitive data. This retains records in a non-rewritable and non-erasable format to meet stringent data regulations.
• Stringently Secure and Encrypted: Our backups are encrypted with the strongest AES-256-bit encryption available. Data is always secure via SSL (HTTPS) enabled servers. Our servers cannot be penetrated due to their impenetrable design, and they are constantly being updated with the most recent security measures. All end-user sessions utilizing the CloudAlly backup solution will use SSL for added protection
• Adheres to 3-2-1 Backup Best Practice: In accordance with the 3-2-1 rule, CloudAlly backs up your production copy on the SaaS platform with two additional copies—one on Amazon S3 and another Glacier.
• Compliant with HIPAA and GDPR:  Apart from that our solutions are equipped with application security best practices, such as Two Factor Authentication (2FA), Okta integration, OAuth permissioning, robust password protection, password and access key rotation, and vulnerability and patch management.
• Seamless, Quick Recovery: Recover from ransomware with 1-click unlimited data recovery from any point in time. 

Schedule a Demo now to see how you can mitigate the risk of ransomware and recover quickly from a Microsoft Office 365 ransomware attack with CloudAlly.