One of my small business clients recently experienced a phishing attack where an employee clicked on a malicious link. One of the results of this was their O365 SharePoint Sites becoming encrypted. Since the office was on a network, the malware spread throughout the office, bringing business to a halt.
Their IT person went in to remove the malware and get the individual work stations back – my job was to check on their SharePoint sites, see what the damage was and get their data restored.
Encrypted O365 SharePoint Sites
When I logged in to the administrator’s O365 portal and went to SharePoint, it was easy to see the encrypted files. The file names were extremely long and they all had the word, ‘satan’, in them – very appropriate!
Even though enough time had passed where all the work stations SharePoint sites had synced and had encrypted files (it happened on a Sunday), I logged in and stopped the sync on each work station. I exited the OneDrive app so it wouldn’t run. Then I deleted all of the SharePoint folders on each local computer and emptied their trash.
Then I went to the admin portal help section and put in a request for Microsoft to call me. I needed to initiate a restore of all of their sites. {Side note: getting a call-back from Microsoft now takes hours, not minutes. Since O365 use has skyrocketed, their support desks have been overloaded.}
When the technician called, he had the ability to initiate a secure screen-share – it’s fast and easy to do (I’ve done it many times now). They are unable to control the screen – the customer is always the driver. They can use a pointer, but that’s it.
So we confirmed that the files are encrypted. Before we proceeded with the restore process, here’s the list of things that had to be filled out and sent back to them:
- What is the URL of the site collection/sub-site URL that contains the item, or items, that have to be restored?
- What is the URL to the item, or items, that has to be restored? If this is unknown, specify a location as close as possible.
- What is the reason for the restore request? For example, missing item, unwanted changes, and so on.
- Is version history restore working?
- Where you able to check, verify and restore the data from the Recycle bin?
- Sample affected files Names: (should be 5 or more)
- When were the item, or items, last known to exist in the desired state
I found out we have a 14-day window in which to get the data restored. Their limit is 14 days for backups and backups run every 12 hours. So we (and Microsoft), were against the clock to get it done.
When we hit the day 3 mark – the going back and forth and wait time really made things drag out. Microsoft made us confirm two times the list of sites sent to them to be sure. Partial sites can’t be restored. The double approval made the process longer.
We chose our restore date, confirmed with them twice and then we started our wait — wait — wait.
How Long Did We Wait for O365 SharePoint Encrypted Sites Restoration?
We thought it might take up to 4 days to get our sites restored, but we were given no timeline, we were guessing and hoping. Communication from Microsoft dropped off and it became difficult to get a response from them. Once I got a call back at 5:15 AM and one at 7:30 PM. They could not give me much of an update. Their response was, “we have multiple teams working on this and it is difficult to get updates from each of them”.
SharePoint Sites Restored on 13th Day!
Yes, they got the sites restored before their drop-dead date. That meant the company was without access to all of their SharePoint files for 2 weeks. Of course, this made doing their business and getting things done very difficult and it was a trying time for them.
Resyncing SharePoint & OneDrive for Business
With the files restored, then I needed to start up the sync on everyone’s work stations. I had to restart OneDrive by going to the Windows button and typing in “OneDrive”to start the app and sign in on each work station. I went to the on-line portal to each SharePoint site and started syncing all their sites.
Everyone in this group was already on the Next Gen Sync Client. I also made sure to have the correct settings checked in the Admin area to reflect we’re using the ‘New experience’.
The sync went smoothly and everyone now had access again to their SharePoint sites.
SharePoint & Other Lessons Learned
- Getting malware, viruses and/or encrypted files is a real threat. The weakest link is usually an uneducated employee. More education is needed – not just at this company but everywhere.
- It can happen to anyone. The bad guys are really smart.
- Consider not uploading all your files into SharePoint. My friend and Outlook expert, Lisa Hendrickson over at Call That Girl, says this over and over again in her podcasts. If you have archival files and folders, then back them up on a couple external drives (have multiple copies) instead of putting things in SharePoint that aren’t needed for current work.
- Should businesses choose to implement their own back-up system? It depends on the business. I gave the business owner three suggestions for backing up their SharePoint files to discuss with his IT person. There are third-party SharePoint companies out there that have solutions in addition to manual processes where good backups are verified and then disconnected from the network at certain intervals.
Restore Options in SharePoint Online
In my SharePoint encryption recovery process, I got a few emails from Microsoft with some helpful links for site admins who need some help to restore data. This information is not for encryption attacks, because why would you want to restore encrypted files??
This information is for administrators who need to restore files, folders and even entire sites that were mistakenly deleted. With two stages of recycle bins, your chances of recovering deleted files are pretty good. The detail of information you get on who did what is very comprehensive.
Restore options in SharePoint Online
https://blogs.technet.microsoft.com/akieft/2012/01/09/restore-options-in-sharepoint-online/
(Cloud) Tip of the Day: SharePoint Online restore options
https://blogs.technet.microsoft.com/tip_of_the_day/2016/07/26/cloud-tip-of-the-day-sharepoint-online-restore-options/
Additional Information…
- For things that can’t be recovered the self-help, you can contact Microsoft Support. However, backups are only stored for 14 days.
- Backups occur every 12 hours.
- Only Site Collections can be recovered. Not individual items.
- For self-help recovery, things remain in the recycle bin for 90 days. However, it may remain a little longer, Some say up to 93 days but this has never been confirmed.
- Items deleted will first go in to the end-user recycle bin, items deleted from end-user recycle bin will go in to the Site Collection recycle bin
I hope this has been helpful and gives those of you with O365 tenants an idea of the process if this happens to you.