OneDrive vs. Ransomware (Updated)

Posted on February 1, 2017 by Paul Thurrott in OneDrive, Windows, Windows 10 with 43 Comments

OneDrive vs. Ransomware

Microsoft has responded to a reader query about OneDrive and its resiliency against ransomware.

Premium members may recall that Sprtfan asked last week—as part of our weekly “We Help Wednesday” episode of First Ring Daily—whether OneDrive offered any particular defense against ransomware:

Strategies to protect your self from ransomware? I automatically back up everything to OneDrive but recently found out that ransom ware could potentially encrypt my OneDrive folder also. Does the personal version of OneDrive have anyway to recover from this if it happens?

Brad and I were unsure how OneDrive might be able to help with this issue, so I asked Microsoft for an official response. Last night, that response arrived.

“Yes, OneDrive has the capability to restore files affected by ransomware by using Version History or restoring from the Recycle Bin,” a Microsoft spokesperson told me via email.

Microsoft also provided the following related links:

Ransomware FAQs. On its Ransomware site at the Malware Protection Center, under the section “How do I get my files back?”, Microsoft explains how you can recover OneDrive-based files using Version History.

Delete or restore files and folders in OneDrive. This page on the Office Support website explains how you can restore deleted items using the OneDrive Recycle Bin.

Hopefully this helps.

UPDATE: Some have noted that Version History only works for Office files I will ask Microsoft again.

UPDATE 2: Microsoft has responded with:

While Version History only works with Office files, OneDrive has the ability to restore both Office and non-Office files through the Recycle Bin if ransomware deleted the original file and re-uploaded it (often with a different name or file extension).

You can find more information here on how to restore your files.

Join the discussion!

BECOME A THURROTT MEMBER:

Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Register
Comments (46)

46 responses to “OneDrive vs. Ransomware (Updated)”

  1. 951

    I think you can only restore one file at a time in Onedrive with file history. Imagine having to restore entire directories one file at a time...

  2. 8840

    I experienced ransomware on a family member's PC. OneDrive did not save me. The maliciously encrypted files dutifully sync'd up to OneDrive offering me no resolution.

    Version History only applies to Office documents saved to OneDrive folders.

    Recycle Bin as a strategy for overcoming ransomware doesn't make sense. The folder and files would need to have been deleted before the ransomware encryption took place. In the normal course of your workflow, why would you delete a OneDrive folder that holds active files and documents?

    In my experience, nothing beats a continuous backup that includes versioning. And that backup optimally should be located offsite or in the cloud.

  3. 10476

    I've asked the question about OneDrive and ransomware in the Microsoft Community and got useless answers. Not sure if anyone there understands how ransomware works and how sync could make things worse.

    The question I asked is if pausing sync would prevent ransomware from getting to OneDrive.  The idea is that by pausing sync, ransomware could encrypt my local files but my OneDrive files would still be intact.  How hard would it be for ransomware to turn on OneDrive sync?

    Paul, it would be good if you could ask about this vulnerability too.

  4. 2611

    From my experiment, an xlsx (Excel) file gets "Version history" in the one drive context menu.  A .jpg that I made changes to does not have a version history.

    So now Paul can write a follow-up article: "Use OneDrive to protect from ransomware by embedding all your photos in a Word doc".

    • 1377

      In reply to ben55124:

      Would .PDF files get version history?

      Better still, create a Zip file and rename it with either .XLSX or .DOCX extensions (since those Office file formats are just Zipped XML). If OneDrive also versions those, that'd be best since you could open those files with any Zip archiver GUI making file management much simpler than embedding files using Word or Excel.

  5. 632

    OneDrive personal only offers versioning history for Office files. From the Microsoft ransomeware link above, under the FAQ about "How do I protect myself against ransomeware?":

    "After you've removed the ransomware infection from your computer, you can restore previous, unencrypted versions of your Office files using "version history"."

  6. 7124

    I definitely need a version history on my Photoshop files, if there was a ransomware attack. That's my bread and butter.

  7. 766

    What would be nice, and I am sure they have thought about this. Is if OneDrive actually scanned your files for viruses and such on the server side of things for you. It would be one more reason to use it. MY Synology box has anti-virus scanning built right into it. And yes, it does work! Really it would be no different than scanning incoming email like O365 does for hosted email.

    • 4838

      In reply to creugea7:

      The problem with ransomware (at least some/most types) is that the file being uploaded may not be infected at all with the actual virus, it will just be encrypted, not really that much different than if you encrypted a file yourself to be protected.  There isn't a whole lot that can be done to protect against that.  

      • 5038

        In reply to Ajay213:

        I would think this could have a simple solution - if some process is trying to drastically modify a large group of files, as rasomware does, put up a warning dialog before allowing it to continue.  Yeah there would be false positives, but surely it would be possible to distinguish the actions of ransomware which is completely scrambling all the bits of files, from other legit actions.  

    • 442

      In reply to creugea7:

      Oh my.  You misunderstand the issue here.  The malware may not reside on the OneDrive folder at all and still will encrypt the files contained within the OneDrive folders.  Even if it did get "onto" the OneDrive folders, do you expect the Antivirus to catch it on day zero?  That's assuming a lot.  OneDrive is not the processor and does not "run" anything of yours on it.  Your computer is the processor and is where malware will run.

    • 1377

      In reply to creugea7:

      . . . OneDrive actually scanned your files for viruses and such on the server side . . .

      Only if it's configurable.

      One headache I had to deal with for way too long several years back was the antivirus at work constantly putting a couple batch files in quarantine because those batch files (.CMD) had for loops which called other batch files (.BAT), and the AV software was convinced only malware would use that. Took the better part of a year to convince the IT powers that be to get an exception since ALL AV settings were locked for all users outside IT.

  8. 427

    Version History is exactly why I pay for DropBox and also use OneDrive.  I have been told they are working on version history for other files, but its not there yet.  I have a feeling they really just turn it on in the Office docs per file and aren't really doing any real versioning behind the scenes.  Versioning would take up more space for sure, but probably not much.  Its just diffs that need to be stored. I don't know, maybe they would say its a "hard computer science problem"  I think the real answer is this isn't a product that generates revenue and they pay one or two people to actually maintain it.

  9. 8182

    So if you have thousands of files it's going to take a while to manually revert them all to a previous version or restore from recycle bin... That's not a viable solution in such a situation. And besides, what happens once ransomware becomes smart enough to operate directly on your OneDrive in the cloud and remove your previous versions?

    You'd think Windows Defender could apply some heuristics that could detect that a bunch of files were being encrypted and renamed and then stop the process?

    Also, I've seen examples where version history did not contain a usable copy, rendering the file unrecoverable from OneDrive.

    I even read in Microsoft's own recommendation that they recommend you copy files to a USB drive and not have it attached to your PC... not really optimal, imho.

    We need a mechanism which will let us go back to a certain point in time and then have OneDrive automatically revert back to the versions of all files in OneDrive that were stored at that point. Or we need a true cloud based client backup solution... 3rd party solutions exist, but come on Microsoft! And we need Windows Defender to be able to catch if and when ransomware starts doing its work and prohibit it from continuing. That's my opinion.

    • 2130

      In reply to allanwith: "And besides, what happens once ransomware becomes smart enough to operate directly on your OneDrive in the cloud and remove your previous versions?"

      That's virtually impossible if you've set up TFA on your Microsoft account. The local client only syncs files, it can't access the Recycle Bin, so the only way for it to delete that would be to access your online account. If it can do that, you've got far more problems than some encrypted files.

  10. 2532

    It could be nice if one drive had versioned files.

  11. 627

    Most ransomware deletes the original file and creates an encrypted copy. I suspect recovering from the Recycle Bin would be more reliable than version history. 

  12. 8658

    They need to do better in this respect. With customers this is such a big problem in OneDrive for business that we use IAMCloud Cloud Drive mapper as an alternative to the OneDrive Sync client for customers we move to the cloud. It also gives them a mapped drive experience from the desktop. This way as well there are no files synced to the filesystem for ransomware to grab. I really wish they had better detection for this. And by detection I dont mean another add on bundle SKU up sell to protect like Advanced threat protection on Office 365. It should be a basic feature of the service.

  13. 5234

    Version History doesn't work for folders.  If something/someone deletes a folder, you have to rely on it hopefully being still in the Bin.  I had a client who (somehow...) managed to delete everything from their OneDrive storage.  Everything (as far as they know) was still in the Bin, and they had to use the web interface to recover it.  

  14. 4800

    The FAQ says, "OneDrive creates a version of Microsoft Office files when you save or change the file as part of its security features."  So does it just do that for Office files or does it do it for everything?

    • 223

      In reply to lvthunder:

      From my experience, anytime you change a file - it creates a version. I recently restored some MP3 files that were inadvertently changed en-mass and the process worked flawlessly.

      • 170

        In reply to vernonlvincent:

        I'm mostly worried about pictures and I don't see a Version History option.  I did edit the photo in Onedrive first to make sure that there was an original version to go back to.  I also have OneDrive for business and the photos I have on it have a Version History option.  

  15. 131

    As good as this might be, I still recommend a secondary "pure" backup method as well.  Personally, I use CrashPlan and direct my backups to a local disk and their cloud.  I can't trust OneDrive to be my sole "backup" service, particularly with it's horrid sync issues.

  16. 170

    Thanks for looking into this Paul.  I do back up my photos in multiple locations but all the locations are directly accessible through my main PC.  I have File History turned on and that looks to add another level of protection but from the link you provided some Ransomware will encrypt or delete the backup versions of your files even with File History enabled if the backup location is a network or local drive.  I used to have a WHS that I think would have protected me from this but no longer have it running.  

    It may sound over kill but I think I'll also back up my pictures to another computer and have File History enabled on it as well in addition to having my pictures on OneDrive and Google photos.  

  17. 2481

    I think this is vague. 

    So if I am a Office 365 Home user or University subscription am I protected?

    • 170

      In reply to harmjr:

      The University one that I have offers Version History for all of the files I have uploaded.  I'm not sure if the Office 365 Home does though.  From what I can tell, it does not or at the very least is different.  Hopefully Paul will be able to answer this for us.

  18. 5664

    This is why I no longer use syncing and instead batch upload files I want to keep. 

Leave a Reply