What is Ransomware or a Crypto Virus?
Ransomware is a malware that blocks access to various items demanding a ransom in order for the creator to release the lock they have imposed. Once the ransom is paid, the creator of the ransomware will presumably provide whatever is needed to regain access.
For more information on Ransomware please visit https://www.microsoft.com/security/portal/mmpc/shared/ransomware.aspx
How does it work with SharePoint Online or OneDrive for Business?
The ransomware is an executable of some sort that is ran locally on a user’s computer. The ransomware that we have seen effect SharePoint Online or OneDrive for Business has been manipulating individual files on a user’s local machine via a One Drive for Business connection or a mapped drive into a SharePoint Online library. Once this occurs the infected files are then synchronized to the online environment by the sync client tool or as mentioned via various Web DAV methods. We have seen various manipulations of the files including Public/Private key encryption, appending an unknown extension to the filename, and deleting existing files. In addition, a lot of new files are typically added to each directory with instructions on who to pay the ransom.
How do I confirm the items of a library are being held for ransom?
Here are some of the signs that a SharePoint Online library has been hit by ransomware:
- Majority of the files within the library have the same Modified By timestamp.
- Files fail to open stating that they are possibly corrupt.
- Each directory within the library contains several files named HELP_DECRYPT, HELP_Recover or some random names. The files can be opened and contain instructions for paying the ransom.
- Files have been renamed or have an extension appended to the end.
How are we able to help!?
Unfortunately, we typically wouldn’t be able to unblock the items directly from getting uploaded to Sharepoint Online as we have no knowledge of the encryption keys or mechanism used to impose the lock and we allow encrypted files on Sharepoint Online. This being said, don’t PANIC! Immediately stop OneDrive for Business Sync or disconnect the mapped drive to SharePoint library and have your Company Administrator create a ticket with Microsoft o365 SharePoint Online Support who will try to revert the files to normal state.
Note: Do not perform any actions like renaming, deleting the files.
Please have the administrator include the following details when submitting the help ticket.
- What is the site collection URL(s) that have been affected by Ransomware?
- When was the last known time that these files were in a healthy state?
- Do you consent to Microsoft Support attempting to roll back the changes that have occurred to the affected files? *Note: This is not an overwrite of data or restore to backup, we will simply attempt to undo the changes that occurred on the site collection*