OneDrive vs. Ransomware (Updated)

OneDrive vs. Ransomware

Microsoft has responded to a reader query about OneDrive and its resiliency against ransomware.

Premium members may recall that Sprtfan asked last week—as part of our weekly “We Help Wednesday” episode of First Ring Daily—whether OneDrive offered any particular defense against ransomware:

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Strategies to protect your self from ransomware? I automatically back up everything to OneDrive but recently found out that ransom ware could potentially encrypt my OneDrive folder also. Does the personal version of OneDrive have anyway to recover from this if it happens?

Brad and I were unsure how OneDrive might be able to help with this issue, so I asked Microsoft for an official response. Last night, that response arrived.

“Yes, OneDrive has the capability to restore files affected by ransomware by using Version History or restoring from the Recycle Bin,” a Microsoft spokesperson told me via email.

Microsoft also provided the following related links:

Ransomware FAQs. On its Ransomware site at the Malware Protection Center, under the section “How do I get my files back?”, Microsoft explains how you can recover OneDrive-based files using Version History.

Delete or restore files and folders in OneDrive. This page on the Office Support website explains how you can restore deleted items using the OneDrive Recycle Bin.

Hopefully this helps.

UPDATE: Some have noted that Version History only works for Office files I will ask Microsoft again.

UPDATE 2: Microsoft has responded with:

While Version History only works with Office files, OneDrive has the ability to restore both Office and non-Office files through the Recycle Bin if ransomware deleted the original file and re-uploaded it (often with a different name or file extension).

You can find more information here on how to restore your files.

Share post

Please check our Community Guidelines before commenting

Conversation 46 comments

  • 766

    01 February, 2017 - 10:19 am

    <p>What would be nice, and I am sure they have thought about this. Is if OneDrive actually scanned your files for viruses and such on the server side of things for you. It would be one more reason to use it. MY Synology box has anti-virus scanning built right into it. And yes, it does work! Really it would be no different than scanning incoming email like O365 does for hosted email.</p>

    • 4838

      Premium Member
      01 February, 2017 - 11:31 am

      <blockquote><em><a href="#39885">In reply to </a><a href="../../../../users/creugea7">creugea7</a><a href="#39885">:</a></em></blockquote>
      <p>The problem with ransomware (at least some/most types) is that the file being uploaded may not be infected at all with the actual virus, it will just be encrypted, not really that much different than if you encrypted a file yourself to be protected. &nbsp;There isn’t a whole lot that can be done to protect against that. &nbsp;</p>

      • 5038

        01 February, 2017 - 2:11 pm

        <blockquote><em><a href="#40028">In reply to </a><a href="../../../../users/Ajay213">Ajay213</a><a href="#40028">:</a></em></blockquote>
        <p>I would think this could have a simple solution – if some process is trying to drastically modify a large group of files, as rasomware does, put up a warning dialog before allowing it to continue. &nbsp;Yeah there would be false positives, but surely it would be possible to distinguish the actions of ransomware which is completely scrambling all the bits of files, from other legit actions. &nbsp;</p>

    • 1377

      Premium Member
      01 February, 2017 - 12:43 pm

      <p><em><a href="#39885">In reply to </a><a href="../../../../users/creugea7">creugea7</a><a href="#39885">:</a></em></p>
      <blockquote><em>. . .&nbsp;OneDrive actually scanned your files for viruses and such on the server side . . .</em></blockquote>
      <p>Only if it’s configurable.</p>
      <p>One headache I had to deal with for way too long several years back was the antivirus at work constantly putting a couple batch files in quarantine because those batch files (.CMD) had for loops which called other batch files (.BAT), and the AV software was convinced only malware would use that. Took the better part of a year to convince the IT powers that be to get an exception since ALL AV settings were locked for all users outside IT.</p>

    • 442

      01 February, 2017 - 3:56 pm

      <blockquote><em><a href="#39885">In reply to </a><a href="../../../../users/creugea7">creugea7</a><a href="#39885">:</a></em></blockquote>
      <p>Oh my.&nbsp; You misunderstand the issue here.&nbsp; The malware may not reside on the OneDrive folder at all and still will encrypt the files contained within the OneDrive folders.&nbsp; Even if it did get "onto" the OneDrive folders, do you expect the Antivirus to catch it on day zero?&nbsp; That’s assuming a lot.&nbsp; OneDrive is not the processor and does not "run" anything of yours on it.&nbsp; Your computer is the processor and is where malware will run.</p>

  • 4800

    Premium Member
    01 February, 2017 - 10:23 am

    <p>The FAQ says, "OneDrive creates a version of Microsoft Office files when you save or change the file as part of its security features."&nbsp; So does it just do that for Office files or does it do it for everything?</p>

    • 223

      Premium Member
      01 February, 2017 - 10:24 am

      <blockquote><em><a href="#39894">In reply to </a><a href="../../../../users/lvthunder">lvthunder</a><a href="#39894">:</a></em></blockquote>
      <p>From my experience, anytime you change a file – it creates a version. I recently restored some MP3 files that were inadvertently changed en-mass and the process worked flawlessly.</p>

      • 170

        01 February, 2017 - 12:09 pm

        <blockquote><em><a href="#39903">In reply to </a><a href="../../../../users/vernonlvincent">vernonlvincent</a><a href="#39903">:</a></em></blockquote>
        <p>I’m mostly worried about pictures and I don’t see a&nbsp;Version History option. &nbsp;I did edit the photo in Onedrive first to make sure that there was an original version to go back to. &nbsp;I also have OneDrive for business and the photos I have on it have a Version History option. &nbsp;</p>

  • 2481

    Premium Member
    01 February, 2017 - 11:36 am

    <p>I think this is vague.&nbsp;</p>
    <p>So if I am a Office 365 Home user or University subscription am I protected?</p>

    • 170

      01 February, 2017 - 12:21 pm

      <blockquote><em><a href="#40035">In reply to </a><a href="../../../../users/harmjr">harmjr</a><a href="#40035">:</a></em></blockquote>
      <p>The University one that I have offers Version History for all of the files I have uploaded. &nbsp;I’m not sure if the Office 365 Home does though. &nbsp;From what I can tell, it does not or at the very least is different. &nbsp;Hopefully Paul will be able to answer this for us.</p>

  • 131

    Premium Member
    01 February, 2017 - 11:37 am

    <p>As good as this might be, I still recommend a secondary "pure" backup method as well. &nbsp;Personally, I use CrashPlan and direct my backups to a local disk and their cloud. &nbsp;I can’t trust OneDrive to be my sole "backup" service, particularly with it’s horrid sync issues.</p>

    • 461

      01 February, 2017 - 12:12 pm

      <blockquote><em><a href="#40036">In reply to </a><a href="../../../../users/wbhite">wbhite</a><a href="#40036">:</a></em></blockquote>
      <p>Highly recommend CrashPlan as well as an on-site backup.</p>

    • 5234

      01 February, 2017 - 12:37 pm

      <blockquote><em><a href="#40036">In reply to </a><a href="../../../../users/wbhite">wbhite</a><a href="#40036">:</a></em></blockquote>
      <p>If you use File History on Windows 10, it backs up your OneDrive sync folder by default.</p>

      • 170

        01 February, 2017 - 1:17 pm

        <blockquote><em><a href="#40121">In reply to </a><a href="../../../../users/Waethorn">Waethorn</a><a href="#40121">:</a></em></blockquote>
        <p>Some Ransomware will delete or encrypt your File History and back ups in Windows. &nbsp;</p>

        • 5038

          01 February, 2017 - 2:05 pm

          <blockquote><em><a href="#40180">In reply to </a><a href="../../../../users/Sprtfan">Sprtfan</a><a href="#40180">:</a></em></blockquote>
          <p>Running as&nbsp;a standard user, not admin, will protect from that. &nbsp;Admin rights are needed to modify file history backups. &nbsp; &nbsp;</p>

    • 9215

      01 February, 2017 - 2:00 pm

      <blockquote><em><a href="#40036">In reply to </a><a href="../../../../users/wbhite">wbhite</a><a href="#40036">:</a></em></blockquote>
      <p>+1 Especially the part about "horrid sync issues". I heave a collective sigh anytime I use anything that accesses (or is related to) OneDrive – like my OneNote notebooks.&nbsp;</p>
      <p>While I recently dropped my Evernote subscription – the responsiveness of the mobile app was what using a mobile notebook should be. That Microsoft’s infrastructure is so sad – is a surprise.</p>

  • 170

    01 February, 2017 - 12:19 pm

    <p>Thanks for looking into this Paul. &nbsp;I do back up my photos in multiple locations but all the locations are directly accessible through my main PC. &nbsp;I have File History turned on and that looks to add another level of protection but from the link you provided some Ransomware will encrypt or delete the backup versions of your files even&nbsp;with File History enabled if the backup location&nbsp;is a network or local drive. &nbsp;I used to have a WHS that I think would have protected me from this but no longer have it running. &nbsp;</p>
    <p>It may sound over kill but I think I’ll also back up my pictures to another computer and have File History enabled on it as well in addition to having my pictures on OneDrive and Google photos. &nbsp;</p>

  • 951

    Premium Member
    01 February, 2017 - 12:25 pm

    <p>I think you can only restore one file at a time in Onedrive with file history. Imagine having to restore entire directories one file at a time…</p>

  • 5234

    01 February, 2017 - 12:36 pm

    <p>Version History doesn’t work for folders. &nbsp;If something/someone deletes a folder, you have to rely on it hopefully being still in the Bin. &nbsp;I had a client who (somehow…) managed to delete everything from their OneDrive storage. &nbsp;Everything (as far as they know) was still in the Bin, and they had to use the web interface to recover it. &nbsp;</p>

    • 442

      01 February, 2017 - 3:57 pm

      <blockquote><em><a href="#40120">In reply to </a><a href="../../../../users/Waethorn">Waethorn</a><a href="#40120">:</a></em></blockquote>
      <p>Funny, history for folders works for me…</p>

  • 8840

    01 February, 2017 - 12:38 pm

    <p>I experienced ransomware on a family member’s PC. OneDrive did not save me. The maliciously encrypted files dutifully sync’d up to OneDrive offering me no resolution.</p>
    <p>Version History only applies to Office documents saved to OneDrive folders.</p>
    <p>Recycle Bin as a strategy for overcoming ransomware doesn’t make sense. The folder and files would need to have been deleted before the ransomware encryption took place. In the normal course of your workflow, why would you delete a OneDrive folder that holds active files and documents?</p>
    <p>In my experience, nothing beats a continuous backup that includes versioning. And that backup optimally should be located offsite or in the cloud.</p>

    • 2130

      01 February, 2017 - 7:38 pm

      <blockquote><em><a href="#40122">In reply to </a><a href="../../../../users/the_risner">the_risner</a><a href="#40122">:</a></em></blockquote>
      <p>That’s the way recycle bin works on a local computer. On OneDrive, if you upload a new version of a file, it doesn’t overwrite it, instead it moves that file to the OneDrive recycle bin and then uploads the new file. </p>

      • 8840

        02 February, 2017 - 1:00 pm

        <blockquote><em><a href="#40386">In reply to </a><a href="../../../../users/Tallin">Tallin</a><a href="#40386">:</a></em></blockquote>
        <p>That’s really good to know. Thanks for the tip!</p>

  • 632

    Premium Member
    01 February, 2017 - 1:39 pm

    <p>OneDrive personal only offers versioning history for Office files. From the Microsoft ransomeware link above, under the FAQ about "How do I protect myself against ransomeware?":</p>
    <p>"After you’ve removed the ransomware infection from your computer, you can restore previous, unencrypted versions of your Office files using "version history"."</p>

  • 7124

    01 February, 2017 - 2:04 pm

    <p>I definitely need a version history on&nbsp;my Photoshop files, if there was a ransomware attack. That’s my bread and butter.</p>

  • 5664

    Premium Member
    01 February, 2017 - 2:40 pm

    <p>This is why I no longer use syncing and instead batch upload files I want to keep.&nbsp;</p>

  • 10476

    01 February, 2017 - 3:11 pm

    <p>I’ve asked the question about OneDrive and ransomware in the Microsoft Community and got useless answers. Not sure if anyone there understands how ransomware works and how sync could make things worse.</p>
    <p>The question I asked is if pausing sync would prevent ransomware from getting to OneDrive.&nbsp; The idea is that by pausing sync, ransomware could encrypt my local files but my OneDrive files would still be intact.&nbsp; How hard would it be for ransomware to turn on OneDrive sync?</p>
    <p>Paul, it would be good if you could ask about this vulnerability too.</p>

  • 2611

    Premium Member
    01 February, 2017 - 3:11 pm

    <p>From my experiment, an xlsx (Excel) file gets "Version history" in the one drive context menu.&nbsp; A .jpg that I made changes to does not have a version history.</p>
    <p>So now Paul can write a follow-up article: "Use OneDrive to protect from ransomware by embedding all your photos in a Word doc".</p>

    • 1377

      Premium Member
      01 February, 2017 - 3:46 pm

      <p><em><a href="#40264">In reply to </a><a href="../../../../users/ben55124">ben55124</a><a href="#40264">:</a></em></p>
      <p>Would .PDF files get version history?</p>
      <p>Better still, create a Zip file and rename it with either .XLSX or .DOCX extensions (since those Office file formats are just Zipped XML). If OneDrive also versions those, that’d be best since you could open those files with any Zip archiver GUI making file management much simpler than embedding files using Word or Excel.</p>

  • 627

    Premium Member
    01 February, 2017 - 3:24 pm

    <p>Most ransomware deletes the original file and creates an encrypted copy. I suspect recovering from the Recycle Bin would be more reliable than version history.&nbsp;</p>

    • 1377

      Premium Member
      01 February, 2017 - 3:49 pm

      <p><em><a href="#40266">In reply to </a><a href="../../../../users/OwenM">OwenM</a><a href="#40266">:</a></em></p>
      <p>Maybe unsophisticated ransomware moves original files to the recycle bin, but I figure more sophisticated ransomware performs a true delete, maybe overwriting the original in place with random bytes before truly deleting it. I wouldn’t count on the recycle bin for backup.</p>

    • 442

      01 February, 2017 - 4:02 pm

      <blockquote><em><a href="#40266">In reply to </a><a href="../../../../users/OwenM">OwenM</a><a href="#40266">:</a></em></blockquote>
      <p>Unfortunately it deletes permanently keeping it out of the recycle bin.</p>

    • 627

      Premium Member
      01 February, 2017 - 4:30 pm

      <blockquote><em><a href="#40266">In reply to </a><a href="../../../../users/OwenM">OwenM</a><a href="#40266">:</a></em></blockquote>
      <p>I am referring to the Recycle Bin feature in OneDrive, not Windows. It keeps a copy of everything that has synced, even if you completely delete it.</p>

  • 427

    01 February, 2017 - 5:02 pm

    <p>Version History is exactly why I pay for DropBox and also use OneDrive.&nbsp; I have been told they are working on version history for other files, but its not there yet.&nbsp; I have a feeling they really just turn it on in the Office docs per file and aren’t really doing any real versioning behind the scenes.&nbsp; Versioning would take up more space for sure, but probably not much.&nbsp; Its just diffs that need to be stored. I don’t know, maybe they would say its a "hard computer science problem"&nbsp; I think the real answer is this isn’t a product that generates revenue and they pay one or two people to actually maintain it.</p>

    • 1753

      Premium Member
      02 February, 2017 - 2:08 am

      <blockquote><em><a href="#40329">In reply to </a><a href="../../../../users/awright18">awright18</a><a href="#40329">:</a></em></blockquote>
      <p>I use OneDrive, but I also back everything up on Carbonite. Well, I also do a weekly copy to a NAS and a copy to an external drive.</p>

  • 8182

    01 February, 2017 - 5:24 pm

    <p>So if you have thousands of files it’s going to take a while to manually revert them all to a previous version or restore from recycle bin… That’s not a viable solution in such a situation. And besides, what happens once ransomware becomes smart enough to operate directly on your OneDrive in the cloud and remove your previous versions?</p>
    <p>You’d think Windows Defender could apply some heuristics that could detect that a bunch of files were being encrypted and renamed and then stop the process?</p>
    <p>Also, I’ve seen examples where version history did not contain a usable copy, rendering the file unrecoverable from OneDrive.</p>
    <p>I even read in Microsoft’s own recommendation that they recommend you copy files to a USB drive and not have it attached to your PC… not really optimal, imho.</p>
    <p>We need a mechanism which will let us go back to a certain point in time and then have OneDrive automatically revert back to the versions of all files in OneDrive that were stored at that point. Or we need a true cloud based client backup solution… 3rd party solutions exist, but come on Microsoft! And we need Windows Defender to be able to catch if and when ransomware starts doing its work and prohibit it from continuing. That’s my opinion.</p>

    • 2130

      01 February, 2017 - 7:25 pm

      <blockquote><em><a href="#40342">In reply to </a><a href="../../../../users/allanwith">allanwith</a><a href="#40342">:</a> "And besides, what happens once ransomware becomes smart enough to operate directly on your OneDrive in the cloud and remove your previous versions?"</em></blockquote>
      <p>That’s&nbsp;virtually impossible if you’ve set up TFA on your Microsoft account. The local client only syncs files, it can’t access the Recycle Bin, so the only way for it to delete that would be to access your online account. If it can do that, you’ve got far more problems than some encrypted files.</p>

  • 2532

    01 February, 2017 - 8:10 pm

    <p>It could be nice if one drive had versioned files.</p>

  • 8658

    03 February, 2017 - 4:49 am

    <p>They need to do better in this respect. With customers this is such a big problem in OneDrive for business that we use IAMCloud Cloud Drive mapper as an alternative to the OneDrive Sync client for customers we move to the cloud. It also gives them a mapped drive experience from the desktop. This way as well there are no files synced to the filesystem for ransomware to grab. I really wish they had better detection for this. And by detection I dont mean another add on bundle SKU up sell to protect like Advanced threat protection on Office 365. It should be a basic feature of the service.</p>

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Thurrott © 2024 Thurrott LLC