Ransomware protection in OneDrive isn’t everything Microsoft says

Office for Mere Mortals
Your beginners guide to the secrets of Microsoft Office
Invalid email address
Tips and help for Word, Excel, PowerPoint and Outlook from Microsoft Office experts.  Give it a try. You can unsubscribe at any time.  Office for Mere Mortals has been running for over 20 years, we've never, ever revealed or sold subscriber details.  Privacy policy

Microsoft promotes OneDrive as protection against ransomware however our tests show it’s not always as practical or complete as the company boasts. One recovery feature works fine but the other isn’t complete.

While updating our book Everyday Backups, we tested the OneDrive ransomware protections, not taking Microsoft’s word about how it works.  We found that one feature works exactly as their carefully worded steps say, but misses out on an important element of ransomware recovery.

Ransomware blocks access to a computer or network data by encrypting the files and changing the file name / extension.  For example a file  2021Budget.xlsx could become rqweq3spobt.ccc  .

It’s the file name/extension change part that OneDrive does NOT always recover from.  That makes recovery from malware a huge problem.

UPDATE: we’ve updated this article to make clear the ‘Version History’ doesn’t recover file names. However the less-obvious ‘Recover your OneDrive’ does restore both content and file names to previous states.

Why isn’t OneDrive’s ransomware recovery complete?

One part of OneDrive’s ransomware recovery is really their Version History feature rebadged for a purpose it wasn’t originally intended or designed for.

Version History assumes that the name of the document doesn’t change significantly or maliciously.  It also doesn’t allow for a change of file extension.

It’s promoted as a malware restore feature, even though it doesn’t do a complete job.

Microsoft hasn’t devoted any effort to upgrading OneDrive’s Version History to save and restore file names.  In typical Microsoft fashion, it’s enough to promote an incomplete solution rather than improve their service so it truly helps customers.

How OneDrive ransomware recovery doesn’t quite work

You’ve been infected with ransomware and that has spread to your OneDrive storage because (as Microsoft strongly promotes) the computer files are synchronised to OneDrive.

That means a Word document becomes unreadable because it’s encrypted plus the file name and extension have changed too.

OneDrive’s partial solution is using ‘Version History’ which keeps past versions of the file.

When ransomware messed up the document, OneDrive kept the previous, readable contents automatically.  The Version History lists the past file versions available and lets you restore or open the older document separately.

But, and it’s a huge ‘but’, OneDrive version history does NOT restore the original file name.

You’re stuck with the ransomware fake name and a useless extension.

To fully recover from OneDrive’s Version History you have to:

  1. guess the original file extension
  2. open the document or file (once you’ve guessed correctly)
  3. look at the contents and rename the file.

Imagine doing that for hundreds or even thousands of files!  Ransomware affects not just Office documents but also pictures, videos and music collections.

Restore your OneDrive

It’s a different story with the more obscure Restore your OneDrive feature. This feature is buried down in Settings | Options but does a proper job, recovering both content and file names to a previous time.

Here’s how it works. We tested this with some documents, renamed to ransomware-like file names.

Go to Options | Restore your OneDrive and select a past date for restoration.  If you’ve been quick then ‘Yesterday’ is enough or you can select a custom date and time.

Even more useful is the list of changes made in date/time order. The ransomware changes will appear as file name and content changes.   In this list you can see our two test files were renamed.

In a real ransomware attack there would be hundreds or thousands of changes,

Individual file changes can be selected/unchecked for recovery instead of relying on date alone.

When all the files you want restored are selected, click on Restore.  Wait while OneDrive does its thing then see the files are recovered, unblocked and with their original file names.

DropBox and others too

It’s not just OneDrive passing off their versioning feature as ransomware protection.

Dropbox has the same problem.  Their Version History also restores file contents but not file names or extensions.

Better than nothing …

Making backups that can restore from ransomware isn’t easy.  Regular backups are likely to be affected by the malware.

That’s why we’ve devoted a whole chapter to ransomware protection in our updated book Everyday Backups – protecting your documents, photos and personal info.

Version History isn’t a complete guard against ransomware and a PITA to recover from.  Recover your OneDrive is a lot better. It’s a simple way to keep safe copies of the most recent files and documents.

It should be possible to recover from a ransomware attack, with good backups, safe from malware interference plus OneDrive/Dropbox safety versions of the latest files.  Of course, better not to be infected in the first place, we cover that in Everyday Backups  too.

Everyday Backups – protecting your documents, photos and personal info
Protect against the latest ransomware attack via Excel
Microsoft is to blame for WannaCrypt/ransomware and lots of other troubles

Latest news & secrets of Microsoft Office

Microsoft Office experts give you tips and help for Word, Excel, PowerPoint and Outlook.

Give it a try. You can unsubscribe at any time.  Office Watch has been running for over 20 years, we've never, ever revealed or sold subscriber details.  Privacy policy
Invalid email address