At OGD we sometimes have to deal with users that got infected with CryptoLockers and have both automated and controlled systems in place to prevent damage or restore data to any fileshares. An infection on Sharepoint Online or Onedrive has not yet happened, but eventually it of course will and I like to fix things before they break.
As Sharepoint Online and Onedrive for Business natively use versioning on files, you basically have no real risk of losing data to Cryptolockers, your RPO (Restore Point Objective) is 0. However, restoring the previous versions of files is quite a lot of work if done manually, so your RTO (Restore Time Objective) could be weeks or more.
Unless of course, you use Powershell. I’ve written a script that will restore the most current previous version of any file in a given Document Library.
Download: O365AntiCryptoLocker
Example usage for a Onedrive site:
.\O365AntiCryptoLocker.ps1 -siteURL "https://o365mig-my.sharepoint.com/personal/test1_o365mig_onmicrosoft_com" -login "mylogin" -password "mypassword" -libraryTitle "Documents"
Or for a Sharepoint Online Site:
.\O365AntiCryptoLocker.ps1 -siteURL "https://o365mig.sharepoint.com/site1" -login "mylogin" -password "mypassword" -libraryTitle "Documents"
You’ll need the Sharepoint Client Components installed, and you’ll have to have sufficient permissions on the library and its files.
I get the error: Failed to load files in Documents, Exception calling “ExecuteQuery” with “0” argument(s): “The attempted operation is prohibited because it exceeds the list view threshold enforced by the administrator.” So my question is, how can I get the script to target a specific folder instead of the whole “Documents” library? I think that would let me get around the restriction, plus I could have a little control over what files get reverted, instead of the whole library. Thanks in advance!
Hi. thanks for your post. But what about restore only some files of the Library. Our library was afected by a CrytoLocker but not all the files were affected. We need to select a subset of those files (that we can identify by the “.ext” extension)
I get this error: “Failed to find Documents, Exception calling “ExecuteQuery” with “0” argument(s):” can some one help me with this?
Hi,
Great script to start with!
One of my clients opened a cryptolocker virus and I tried using this script to restore the latest version. However on some files the latest version was also encrypted. Didn’t find a way to “choose” what version to restore.
I ended up creating a support case and microsoft restored the wole sharepoint site and the users onedrive library.
I’m acctually just writing the info here if anyone stumble across the same problem to let them know that Microsoft stores backups for two weeks.
[…] In addition, it allows me to help you automatically reverse nasty CryptoLocker actions like mass file and folder renames and restore previous versions in bulk. […]
Good initiative, but this won’t work for the CryptoLoggers that I have faced. Not only was my clients files scrambled 3 versions back, but names was obfuscated as well, and dummy files introduced (visible in SPO as files without version history except “infected” version). For those curius: The files got infected when an end-user enabled sync on a doclib…. The solution was a script to detect and save files across Site Collection that had changed since last Microsoft backup, a Site Collection restore, and a move of new files back into the portal. Things to watch out for: sync set… Read more »
Thank you Jos for your service, everyday we use your script and its work perfectly.