One of my small business clients recently experienced a phishing attack where an employee clicked on a malicious link. One of the results of this was their O365 SharePoint Sites becoming encrypted. Since the office was on a network, the malware spread throughout the office, bringing business to a halt.
Their IT person went in to remove the malware and get the individual work stations back – my job was to check on their SharePoint sites, see what the damage was and get their data restored.
Encrypted O365 SharePoint Sites
When I logged in to the administrator’s O365 portal and went to SharePoint, it was easy to see the encrypted files. The file names were extremely long and they all had the word, ‘satan’, in them – very appropriate!
Even though enough time had passed where all the work stations SharePoint sites had synced and had encrypted files (it happened on a Sunday), I logged in and stopped the sync on each work station. I exited the OneDrive app so it wouldn’t run. Then I deleted all of the SharePoint folders on each local computer and emptied their trash.
Then I went to the admin portal help section and put in a request for Microsoft to call me. I needed to initiate a restore of all of their sites. {Side note: getting a call-back from Microsoft now takes hours, not minutes. Since O365 use has skyrocketed, their support desks have been overloaded.}
When the technician called, he had the ability to initiate a secure screen-share – it’s fast and easy to do (I’ve done it many times now). They are unable to control the screen – the customer is always the driver. They can use a pointer, but that’s it.
So we confirmed that the files are encrypted. Before we proceeded with the restore process, here’s the list of things that had to be filled out and sent back to them:
- What is the URL of the site collection/sub-site URL that contains the item, or items, that have to be restored?
- What is the URL to the item, or items, that has to be restored? If this is unknown, specify a location as close as possible.
- What is the reason for the restore request? For example, missing item, unwanted changes, and so on.
- Is version history restore working?
- Where you able to check, verify and restore the data from the Recycle bin?
- Sample affected files Names: (should be 5 or more)
- When were the item, or items, last known to exist in the desired state