Ransomware and OneDrive

Recently I received the following question in my post about backup using OneDrive:

Igor very good your explanation but get me out a doubt. If my machine get a Ransonware, don't know if you know what it does, but in case you didn't know, it encrypts and locks all files from my pc, all of them even. Will a time in cloud and stop automatically, he will do it with the files in the clouds, too?

Great question! Let's talk about ransomware and its implications on the OneDrive.

First … You know what it's like to ransomware?

Ransomware is the attack carried out using Cryptovirology covertly installed malware that encrypts the victim's files and then requests the ransom payment in return for the decryption key that is needed to recover the encrypted files.

In other words, ransomware is a type of malware (such as a computer virus) which encrypts personal files of a computer user, making them inaccessible. The purpose of evildoers is to levy a ransom (ransom) in Exchange for the password that decrypts the files. It's as if, suddenly, all your personal files had been kidnapped.

Scary, isn't it?

Back to the question that gave rise to this post. Matheus wants to know if a ransomware would affect the files synchronized by OneDrive. In other words, "the copy in the cloud would also be encrypted?"

The answer is Yes. The copy of the files in OneDrive would also be affected. But that doesn't mean the bad guys won. Not even!

A little known feature of OneDrive is the file history: it automatically maintains the latest versions of your files, every time you save.

Accessing the OneDrive version history (click to enlarge)

IMPORTANT: the file history works only for Office files. At least as far as I could test, other files such as images are not versioned.

Retrieving a file encrypted by ransomware

If you were attacked by a ransomware and had its encrypted documents, you will see something like this when trying to access the latest version of your document on the web:

Latest version of a document after being corrupted by a ransomware
Latest version of a document after being corrupted by a ransomware (click to enlarge)

In this case, you can use the OneDrive to retrieve at least the Office documents. From another computer (or after reformat the infected computer), click a previous version to the corrupted (the penultimate version is probably the obvious choice; if it is too corrupted, try an earlier) and use the Restore command:

Restoring a previous version of a document
Restoring a previous version of a document (click to enlarge)

This will restore the document to an earlier version to ransomware attack. Now you can access your document again, both from the web as directly on a computer where the syncing is turned on:

Recovered file after restoring previous version
Recovered file after restoring previous version (click to enlarge)


See how the OneDrive can help with Office file versioning? He does not offer a complete protection to all your files, after all the history of Versions works only for Office documents. However, it serves at least as hope for someone who will fall victim to ransomware-are great chances that some part of your files could be retrieved.

None of this diminishes, however, the importance of a comprehensive backup process. Speaking of backup, you know the rule of three of the Backups?

    • 3 copies of anything that is important to you. Two copies are not sufficient if an important file;
    • 2 different formats. For example, Dropbox + DVDs or external HD + Memory Stick or Flash drive + OneDrive …
    • 1 off-site backup. And if the House burns down?

And you, as does backup of your data? Share in the comments!


A hug,

Author: Igor Abade

Igor Abade V. Leite ([email protected]) is a Visual Studio ALM MVP (Microsoft Most Valuable Professional) since 2006. Speaker at various Software Development community events (TechEd Brasil, The Developers’ Conference, DevOps Summit Brasil, Agile Brazil, Visual Studio Summit, QCON among others), has also written articles in magazines and websites such as MSDN Brazil. Since March/2011 is one of the owners of Lambda3, a Brazilian consulting company specialized in ALM, software development and training. Visit his blog about VS ALM at http://www.tshooter.com.br/ and follow him on Twitter @igorabade.

Leave your comment!