O365AntiCryptoLocker, restores the previous version of your files in Sharepoint Online or Onedrive for Business

Note: O365Undo is also free and can probably help you fix your crytolocker problem more precisely as it is the next version of O365AntiCryptoLocker

O365AntiCryptoLocker

At OGD we sometimes have to deal with users that got infected with CryptoLockers and have both automated and controlled systems in place to prevent damage or restore data to any fileshares. An infection on Sharepoint Online or Onedrive has not yet happened, but eventually it of course will and I like to fix things before they break.

As Sharepoint Online and Onedrive for Business natively use versioning on files, you basically have no real risk of losing data to Cryptolockers, your RPO (Restore Point Objective) is 0. However, restoring the previous versions of files is quite a lot of work if done manually, so your RTO (Restore Time Objective) could be weeks or more.

Unless of course, you use Powershell. I’ve written a script that will restore the most current previous version of any file in a given Document Library.

Download: O365AntiCryptoLocker

Example usage for a Onedrive site:

.\O365AntiCryptoLocker.ps1 -siteURL "https://o365mig-my.sharepoint.com/personal/test1_o365mig_onmicrosoft_com" -login "mylogin" -password "mypassword" -libraryTitle "Documents"

Or for a Sharepoint Online Site:

.\O365AntiCryptoLocker.ps1 -siteURL "https://o365mig.sharepoint.com/site1" -login "mylogin" -password "mypassword" -libraryTitle "Documents"

You’ll need the Sharepoint Client Components installed, and you’ll have to have sufficient permissions on the library and its files.

 

Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

14 Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
RobB
RobB
6 years ago

I get the error: Failed to load files in Documents, Exception calling “ExecuteQuery” with “0” argument(s): “The attempted operation is prohibited because it exceeds the list view threshold enforced by the administrator.” So my question is, how can I get the script to target a specific folder instead of the whole “Documents” library? I think that would let me get around the restriction, plus I could have a little control over what files get reverted, instead of the whole library. Thanks in advance!

Emilio
Emilio
3 years ago

Hi. thanks for your post. But what about restore only some files of the Library. Our library was afected by a CrytoLocker but not all the files were affected. We need to select a subset of those files (that we can identify by the “.ext” extension)

TruongTK
TruongTK
6 years ago

I get this error: “Failed to find Documents, Exception calling “ExecuteQuery” with “0” argument(s):” can some one help me with this?

ji la
ji la
7 years ago

Hi,
Great script to start with!
One of my clients opened a cryptolocker virus and I tried using this script to restore the latest version. However on some files the latest version was also encrypted. Didn’t find a way to “choose” what version to restore.

I ended up creating a support case and microsoft restored the wole sharepoint site and the users onedrive library.

I’m acctually just writing the info here if anyone stumble across the same problem to let them know that Microsoft stores backups for two weeks.

trackback

[…] In addition, it allows me to help you automatically reverse nasty CryptoLocker actions like mass file and folder renames and restore previous versions in bulk. […]

Anders Rask
Anders Rask
7 years ago

Good initiative, but this won’t work for the CryptoLoggers that I have faced. Not only was my clients files scrambled 3 versions back, but names was obfuscated as well, and dummy files introduced (visible in SPO as files without version history except “infected” version). For those curius: The files got infected when an end-user enabled sync on a doclib…. The solution was a script to detect and save files across Site Collection that had changed since last Microsoft backup, a Site Collection restore, and a move of new files back into the portal. Things to watch out for: sync set… Read more »

Alex Pruneau
Alex Pruneau
7 years ago

Thank you Jos for your service, everyday we use your script and its work perfectly.