How to Recover from a SharePoint Ransomware Attack?

sharepoint ransomware recovery
Interactive Backup Product Tour

Effective SharePoint Ransomware Recovery Strategies

Nasdaq calls ransomware the “greatest business threat in 2022”. A SharePoint ransomware attack can be devastating for your business. Your data is held hostage with the looming threat of the ransom, damaging impact on your business continuity, and no way to decrypt the data. In this blog post, we will discuss SharePoint ransomware recovery and how to get your data back. This will include both native Microsoft 365 SharePoint Online ransomware recovery measures including via the Recycle Bin, versioning, and via Files Restore, and non-native ways to restore your data.

Can Ransomware Affect SharePoint Online?

SharePoint Online is a cloud-based service holding valuable data, making it all the more vulnerable to ransomware attacks. SharePoint Online ransomware operates by changing individual files on a user’s local machine by way of a OneDrive for Business connection or a mapped drive into a SharePoint Online library. After that, the ransomware is downloaded and installed on your system, and the modified files are synchronized to the internet using the sync client tool or by various Web DAV methods. Some modifications include encrypting the Public/Private key, adding an unknown extension to the filename, and removing or altering existing files. Finally, new files are added to each directory with instructions regarding the ransom payment.

Some recent instances of SharePoint ransomware include a popular ransomware phishing campaign that was wrapping itself in a Microsoft Office SharePoint theme and evading security email filters (SEGs). WickrMe, another ransomware, used a Microsoft SharePoint 2019 vulnerability to sneak into a victim’s network and cause remote code execution. Regular patching of SharePoint instances to avoid ransomware installations does help. However, the attackers are leveling up their phishing campaigns and creating sites that cleverly mimic legitimate sites.

How To Recover Your SharePoint Data from Ransomware?

Using Native Methods

First, immediately stop OneDrive for Business Sync or disconnect the mapped drive to the SharePoint library. Then proceed to attempt to restore files. SharePoint Online offers some built-in capabilities for ransomware recovery.

#1 Native SharePoint Ransomware Recovery: Using the Recycle Bin

Items deleted from SharePoint Online are stored in the Recycle Bin for 30 days by default. Items in the Recycle Bin can be restored by anyone with appropriate permissions. To access the SharePoint Online Recycle Bin, click the gear icon in the upper-right corner of SharePoint, and then select Site Contents. On the Site Contents page, under Subsites, click Recycle Bin. Watch the video below for the steps.

How to Recover SharePoint Data using the Recycle Bin

#2 Native SharePoint Ransomware Recovery: Versioning

Another helpful SharePoint ransomware recovery method is versioning. SharePoint Online automatically keeps a version history of every file that is stored in a SharePoint document library. This means that you can restore an older version of a file if it has been modified or deleted by ransomware. Watch the video below for the instructions.

How to Recover SharePoint Data using Versioning

#3 Native SharePoint Ransomware Recovery: Via Files Restore

Recover data from any point in time during the previous 30 days with this self-service solution for SharePoint and OneDrive.

  • Go to the SharePoint document library you want to restore. Select Settings => Restore this library.

  • Then select a date from which you wish to recover the library from, using the dropdownsharepoint ransomware restore

  • You can also review the activities that you want to undo using the activity feed. Select Restore to undo all the activities you selected.

Questions about ransomware protection for Microsoft Office 365? Read this blog for pointers on Microsoft ransomware protection.

Limitations of Native SharePoint Ransomware Recovery

  1. Recovery with native options can restore data only for up to 90 days. The time taken to detect a breach can vary from weeks to months, particularly with the newer types of ransomware.
  2. If version history is turned off, you won’t be able to restore files to a previous version.
  3. Native methods of recovery, such as archiving or retention, are time-consuming and can result in a compromised Recovery Point Objective (RPO) and Recovery Time Objective (RTO), which are critical elements when determining business continuity and reduced downtime.
  4. If users or admins delete the data, it will override the retention policy and will be removed from Microsoft 365 applications.
  5. The storage costs of retention can be significant crossing the 11TB limit of Microsoft 365. The expenses can mount quickly if you intend to utilize retention rules as a backup for a period of three years. Even while incurring license upgrade fees to the most costly Enterprise plan, you’ll have to spend more money on storage if you want to use retention policies

How Can You Recover Your SharePoint Data from Ransomware? Using Backup and Recovery

The best way to protect your SharePoint Online data is to have a robust backup and recovery plan in place before an attack occurs.

Backups are critical in ransomware recovery and response; if you are infected, a backup may be the best way to recover your critical data.

Cybersecurity and Infrastructure Security Agency (CISA)

Downtime is the most harmful consequence of a ransomware assault, and limiting it can significantly cut down on the risk and expense. Continual restoration reduces the impact of a ransomware attack by rendering it less effective if you can recover all of your data. The U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) strongly advises backup to rapidly restore a non-encrypted version of data allowing you to recover quickly from ransomware and minimize its damage. It also advises that backups be stored on the cloud rather than on-premises backup, specifically because backup storage is abstracted from the infrastructure being attacked in accordance with the 3-2-1 backup best practice for ransomware recovery.

CloudAlly’s pioneering and top-rated comprehensive SharePoint/OneDrive Backup secures your SharePoint and OneDrive data on immutable and encrypted AWS S3 storage with unlimited retention to recovery quickly from any point-in-time. Watch how DMSiTech one of Canada’s 50 Best Managed IT companies used CloudAlly SharePoint Backup to recover seamlessly from ransomware.

Start a free trial (zero commitments, zero payment details, zero setup)

Try a hands-on Interactive Product Tour

Right Here and Right Now!

Start a Free 14-day Backup Trial

Get Start
AWS Backup | Full Account Recovery | Pay-as-you-go

Most Popular Articles

Thought Leader Podcasts

Get Insights from the leading IT influencers

Try our Interactive Product Tour

Right Here. Right Now

Book a 1-1
M365 Backup Demo
AWS Backup | Full Account Recovery | Pay-as-you-go