Get a Demo
Free Trial
CA Blog Logo
How to Recover from a SharePoint Ransomware Attack?
sharepoint ransomware recovery
Try our Backup Interactive Product Tour
Start Tour

Effective SharePoint Ransomware Recovery Strategies

Nasdaq calls ransomware the “greatest business threat in 2022”. A SharePoint ransomware attack can be devastating for your business. Your data is held hostage with the looming threat of the ransom, damaging impact on your business continuity, and no way to decrypt the data. In this blog post, we will discuss SharePoint ransomware recovery and how to get your data back. This will include both native Microsoft 365 SharePoint Online ransomware recovery measures including via the Recycle Bin, versioning, and via Files Restore, and non-native ways to restore your data.

Can Ransomware Affect SharePoint Online?

SharePoint Online is a cloud-based service holding valuable data, making it all the more vulnerable to ransomware attacks. SharePoint Online ransomware operates by changing individual files on a user’s local machine by way of a OneDrive for Business connection or a mapped drive into a SharePoint Online library. After that, the ransomware is downloaded and installed on your system, and the modified files are synchronized to the internet using the sync client tool or by various Web DAV methods. Some modifications include encrypting the Public/Private key, adding an unknown extension to the filename, and removing or altering existing files. Finally, new files are added to each directory with instructions regarding the ransom payment.

Some recent instances of SharePoint ransomware include a popular ransomware phishing campaign that was wrapping itself in a Microsoft Office SharePoint theme and evading security email filters (SEGs). WickrMe, another ransomware, used a Microsoft SharePoint 2019 vulnerability to sneak into a victim’s network and cause remote code execution. Regular patching of SharePoint instances to avoid ransomware installations does help. However, the attackers are leveling up their phishing campaigns and creating sites that cleverly mimic legitimate sites.

How To Recover Your SharePoint Data from Ransomware?

Using Native Methods

First, immediately stop OneDrive for Business Sync or disconnect the mapped drive to the SharePoint library. Then proceed to attempt to restore files. SharePoint Online offers some built-in capabilities for ransomware recovery.

#1 Native SharePoint Ransomware Recovery: Using the Recycle Bin

Items deleted from SharePoint Online are stored in the Recycle Bin for 30 days by default. Items in the Recycle Bin can be restored by anyone with appropriate permissions. To access the SharePoint Online Recycle Bin, click the gear icon in the upper-right corner of SharePoint, and then select Site Contents. On the Site Contents page, under Subsites, click Recycle Bin. Watch the video below for the steps.

How to Recover SharePoint Data using the Recycle Bin

#2 Native SharePoint Ransomware Recovery: Versioning

Another helpful SharePoint ransomware recovery method is versioning. SharePoint Online automatically keeps a version history of every file that is stored in a SharePoint document library. This means that you can restore an older version of a file if it has been modified or deleted by ransomware. Watch the video below for the instructions.

How to Recover SharePoint Data using Versioning

#3 Native SharePoint Ransomware Recovery: Via Files Restore

Recover data from any point in time during the previous 30 days with this self-service solution for SharePoint and OneDrive.

  • Go to the SharePoint document library you want to restore. Select Settings => Restore this library.

  • Then select a date from which you wish to recover the library from, using the dropdownsharepoint ransomware restore

  • You can also review the activities that you want to undo using the activity feed. Select Restore to undo all the activities you selected.

Questions about ransomware protection for Microsoft Office 365? Read this blog for pointers on Microsoft ransomware protection.

Limitations of Native SharePoint Ransomware Recovery

  1. Recovery with native options can restore data only for up to 90 days. The time taken to detect a breach can vary from weeks to months, particularly with the newer types of ransomware.
  2. If version history is turned off, you won’t be able to restore files to a previous version.
  3. Native methods of recovery, such as archiving or retention, are time-consuming and can result in a compromised Recovery Point Objective (RPO) and Recovery Time Objective (RTO), which are critical elements when determining business continuity and reduced downtime.
  4. If users or admins delete the data, it will override the retention policy and will be removed from Microsoft 365 applications.
  5. The storage costs of retention can be significant crossing the 11TB limit of Microsoft 365. The expenses can mount quickly if you intend to utilize retention rules as a backup for a period of three years. Even while incurring license upgrade fees to the most costly Enterprise plan, you’ll have to spend more money on storage if you want to use retention policies

How Can You Recover Your SharePoint Data from Ransomware? Using Backup and Recovery

The best way to protect your SharePoint Online data is to have a robust backup and recovery plan in place before an attack occurs.

Backups are critical in ransomware recovery and response; if you are infected, a backup may be the best way to recover your critical data.

Cybersecurity and Infrastructure Security Agency (CISA)

Downtime is the most harmful consequence of a ransomware assault, and limiting it can significantly cut down on the risk and expense. Continual restoration reduces the impact of a ransomware attack by rendering it less effective if you can recover all of your data. The U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) strongly advises backup to rapidly restore a non-encrypted version of data allowing you to recover quickly from ransomware and minimize its damage. It also advises that backups be stored on the cloud rather than on-premises backup, specifically because backup storage is abstracted from the infrastructure being attacked in accordance with the 3-2-1 backup best practice for ransomware recovery.

CloudAlly’s pioneering and top-rated comprehensive SharePoint/OneDrive Backup secures your SharePoint and OneDrive data on immutable and encrypted AWS S3 storage with unlimited retention to recovery quickly from any point-in-time. Watch how DMSiTech one of Canada’s 50 Best Managed IT companies used CloudAlly SharePoint Backup to recover seamlessly from ransomware.

Start a free trial (zero commitments, zero payment details, zero setup)

Try a hands-on Interactive Product Tour

Right Here and Right Now!
Start a Tour

Start a Free 14-day Backup Trial

Get Start
AWS Backup | Full Account Recovery | Pay-as-you-go
Start Trial

Search by Tag

Most Popular Articles

Why is Cybersecurity Training Business-Critical?
top rated cloud backup
Celebrating 20K Customers!
What’s the Best Office 365 Backup? A Comprehensive Checklist
how to export data from salesforce
How to Export Data from Salesforce

Thought Leader Podcasts

Get Insights from the leading IT influencers

Listen In

Microsoft 365

What’s the Best Office 365 Backup? A Comprehensive Checklist
how to save on Microsoft office 365 licenses
7 Ways to Save on Microsoft Office 365 License Costs
Microsoft Exchange Online Protection – The Ultimate Guide
google workspace vs Microsoft 365 - comparison
Google Workspace vs Office 365: An 8-Point Comparison

Try our Interactive Product Tour

Right Here. Right Now

Start Tour
Book a 1-1
M365 Backup Demo
AWS Backup | Full Account Recovery | Pay-as-you-go

Start a Free 14-day Backup Trial

Free Trial

Unbelievably easy to use!

Get a Quote

Custom Demo

Get Started
Products
Resources
Compare

Get a Quote

Email Us
General Inquiries​
Customer Support
Sales
Partners
Partners Support

Info@cloudally.com

Support@cloudally.com

Sales@cloudally.com

Partners@cloudally.com

Support.Partners@cloudally.com

Sales
Give us a call

USA

UK

AUS

+ 1 424 304 1959
+ 44 208 089 2351
+ 61 285 99 2233
General
Products
Pricing
Partners
Customer Support Hub
Blog
Contact
Data Centers
CloudAlly Ltd is an
OpenText company.
OpenText 275 Frank Tompa Drive Waterloo, Ontario N2L 0A1 Canada
https://opentext.com
© Copyright CloudAlly™ 2024
LinkedIn | CloudAlly Facebook Twitter Youtube Rss

MENU

Get a Demo
Free Trial