Strategies for Protecting OneDrive Against Ransomware

Many users think of OneDrive as cloud backup storage. They tend to think that files stored in OneDrive are invulnerable to loss and corruption. In other words, some believe that files stored in a public cloud cannot be damaged by ransomware, unlike files stored on disk drives of local computers and servers on-premises. That’s not completely true! Files stored in OneDrive can be attacked by ransomware, encrypted, and lost as a result.

The popularity of ransomware attacks is growing every year. However, if you follow the recommendations and observe security policies, you can keep your data safe even when storing it in OneDrive. This blog post covers strategies to protect data in OneDrive and explains how to protect against ransomware attacks.

Backup for Microsoft 365 Data

Backup for Microsoft 365 Data

Use the NAKIVO solution to back up Microsoft 365 data in Exchange Online, Teams, OneDrive and SharePoint Online for uninterrupted workflows and zero downtime.

About OneDrive and Ransomware

Can ransomware infect OneDrive? Yes, files stored on OneDrive can be infected and encrypted with ransomware in these cases:

  • OneDrive is mounted to a local folder on a local computer, and files stored in OneDrive are synchronized with the associated local folder. If a local computer is infected with ransomware, ransomware encrypts all accessible files, including files stored in the folder synchronized with OneDrive. As a result, if you access OneDrive in a web interface, you see encrypted (in other words, corrupted) files. Ransomware can start to encrypt One Drive, then the ransomware encrypts other drives and all accessible storage locations.
  • If an attacker gets your credentials, files accessible from your user account can be encrypted with ransomware.
  • Clicking phishing links causes the downloading and execution of viruses, malware, and ransomware on a victim’s computer. Ransomware corrupts files to which it gets access.
  • Malicious add-ons and extensions that ask you to provide permissions to access OneDrive are dangerous and can be entry points for a ransomware infection. Read the description of add-ons and extensions attentively, and check the vendor before installing them.

How safe is OneDrive? Is OneDrive secure? How secure is OneDrive? These questions are popular among new Microsoft 365 users. OneDrive is safe and secure enough. However, you should know how to protect against ransomware attacks, follow security recommendations, and know what to do if you see OneDrive hacked. Microsoft presented a new built-in ransomware detection feature, which detects suspicious activity like mass deletions or encryption of files stored in OneDrive. The user is notified with an alert message on the user device and via email. A list of recommendations is also displayed. But what you want is to avoid having OneDrive ransomware corrupt your files. Read how to protect folders from ransomware in the next section of this blog post.

How to Protect OneDrive Against a Ransomware Attack

In this section, I explain how to protect against ransomware and define ransomware protection strategies for OneDrive. Following these recommendations reduces the risk of getting infected with ransomware and losing data.

Protect credentials

Protect the credentials of the Microsoft 365 administrator account. By stealing an administrator’s credentials, an attacker can steal and damage all of the data of an organization stored in OneDrive storage (including all of the data of all of the users in the organization).

Protect the credentials of the users. Stealing the accounts of users allows attackers to access their personal data and shared data, distribute ransomware, and infect files. When files stored in shared OneDrive storage are infected, other users who access the shared storage can also become infected.

Enable two-factor authentication. Microsoft 365 supports multi-factor authentication. This additional security step can help users protect their accounts against being compromised and having their credentials stolen. It is recommended that you use multi-factor authentication or two-step verification to protect Microsoft 365 accounts with administrative permissions. Here is a blog post about two-factor authentication for Microsoft 365.

Protect each computer

Protect the computers in your organization. Install and configure antivirus and antimalware software. Following this recommendation reduces the risk of ransomware infecting users’ computers and the files stored in synchronized OneDrive folders on these computers (OneDrive storage mapped to local folders). Don’t forget about servers and virtual machines.

Block the execution of files stored in %appdata%, %localappdata%. By default, these directories are used by applications in Windows to store data. Temporary files and downloaded data can be located there. When ransomware files are downloaded, they can be masked and hidden in these folders, and then they can be executed.

Block macros in Microsoft Office documents. Macros are rarely used for business tasks, but they are a source of serious issues. One widely used infection method is distributing documents with malicious macros, which launch a ransomware attack to infect a computer and then spread over a network to infect other computers.

Update software and install security patches to fix known software vulnerabilities that can be used by ransomware to penetrate and infect a system. You can enable automatic software updates for Windows and applications. If your security configuration is imperfect, attackers can use unpatched software vulnerabilities to start a ransomware attack. That’s why installing patches is important.

Educate users

Educate users to recognize phishing attacks. Attackers often presume that users are not experienced, and that they download all files attached to emails, open files, and click all links. Our task is to tell users about threats and teach them how to identify suspicious content.

The most popular ransomware attack vector is sending phishing emails to users. A malicious link is designed to look like a legitimate link but redirects the user to download and install ransomware. Hover over the link and check the spelling in the URL address. If even one character is wrong, avoid clicking on the link. The email address of a sender, similarly to links, can be spoofed. If you don’t know a sender and don’t want any messages from this sender, it is better to skip or reject the email from this sender. Don’t download and open files attached to email messages. Remember about the threat of opening Word/Excel documents with macros.

Harmful links in email messages and fake web pages are dangerous. Attackers can create fake pages and send links in email messages to these fake pages. A fake page looks like the original page, but clicking elements on the page or entering credentials can lead to losing an account or infection with ransomware.

Even if the website address is real and legitimate, be aware that attackers can hack websites and make malicious injections to that site. After visiting such a website, a user can become infected with ransomware. Good antivirus software that is up to date can prevent infection in this case.

An attacker can use social engineering techniques and labels like “urgent”, “important”, etc. in email messages to rush a victim and divert their attention away from checking the content. Be careful when you receive messages from Skype and other services. Keep in mind that an attacker can hack a user account and send messages from that user. A user account is real in this case, but a link or file sent from the hacked account can constitute a threat.

When users are trained to recognize suspicious content, the risks of a ransomware attack via phishing emails are significantly lower. It is always better to prevent OneDrive ransomware attacks rather than recover corrupted files.

Use email protection systems

Use Exchange Online Protection. This native Microsoft 365 tool allows you to configure additional protection filters, such as safe links filter and safe attachments filter.

Configure anti-phishing policies. Exchange Online Protection can determine trusted senders, suspicious senders, attached files that constitute a threat, and spoofed and malicious links to infected sites. Spoofed senders and unwanted email can be blocked in settings.

Block active content in attached files such as macros in Word/Excel documents, VBScript, and JavaScript. Read the blog post about Exchange Online Protection for more information about this feature.

Use cloud protection systems

Enable Microsoft 365 Defender in your Microsoft 365 environment. Microsoft 365 Defender is a new name of Office 365 Advanced Threat Protection (Microsoft Defender for Office 365). This feature helps you reduce the risk of ransomware infection for Microsoft 365 users in your organization. The main features of Microsoft 365 Defender are intelligent detection of threats, automated investigation, and integrated protection against sophisticated ransomware attacks. Microsoft 365 Defender can be configured in Microsoft 365 security center. When users are educated and intelligent software is enabled, the level of protection is much higher.

Use versioning

Enable versioning (version history) in OneDrive settings. If ransomware encrypts objects stored in OneDrive, only the latest version of files is encrypted. You can select a previous file version and recover the needed files. Don’t forget, that before you go to recover files, you should remove ransomware from infected computers to avoid encrypting the files again. Note that recovering thousands of files by recovering previous file versions is time-consuming, and having a proper OneDrive backup will save you time and resources in this case. The OneDrive version history allows you to recover files stored in OneDrive to any version changed within the last 30 days. Check retention settings for deleted (files stored in the recycle bin) for OneDrive.

Configure retention policies. Microsoft 365 retention policies define how long data is preserved after being deleted before this data is deleted permanently. Note that storing retained data in the cloud uses storage space, which can lead to additional costs.

Back up data stored in OneDrive

Back up data stored in OneDrive. Some of the options above may not be available for all Microsoft 365 subscription plans and are probably available only for top subscription plans. Microsoft allows you to request support and restore all the data in the Office 365 cloud storage within two weeks from a data loss incident, but there is no option for granular recovery and you cannot select the needed objects to restore.

Store backups in the cloud or on-premises in a safe place. A backup repository must be well-protected and not shared with other users (it must be accessible only by backup software and administrators).

Back up data with NAKIVO Backup & Replication

Use NAKIVO Backup & Replication to protect OneDrive. NAKIVO Backup & Replication supports backup of Microsoft 365 data, including data residing in OneDrive, Exchange Online, and SharePoint Online. You can back up OneDrive data and create up to 4,000 recovery points, and later restore the needed versions of files by using these recovery points. Granular recovery allows you to recover custom files and folders of users to the original location or a custom location. One instance of NAKIVO Backup & Replication can protect thousands of Office 365 user accounts. OneDrive data is backed up to on-premises backup repositories stored on local servers. Configuration is performed in the intuitive web interface.

Read more blog posts about ransomware recovery, ransomware attacks on NAS devices to learn more about the working principle and protection against ransomware.

How to Recover OneDrive Files

If your files have been encrypted by ransomware, never pay a ransom. Paying a ransom incentivizes attackers to launch more attacks to get more money. If you pay the ransom, you don’t have any guarantees that you will recover your files fully or partially. If you realize that your OneDrive files have been encrypted after a ransomware attack, you should recover data by using native Microsoft tools or from a backup using third-party data protection software.

First of all, remove ransomware installed on all computers in your organization. If native Microsoft 365 features are enabled for user accounts in your organization, recover OneDrive files from previous versions or from the recycle bin (including the second-stage recycle bin). If you have a backup, restore data from a backup.

Read more about backup and recovery of OneDrive with NAKIVO Backup & Replication in this blog post.


This blog post covered strategies for protecting OneDrive against ransomware attacks and gave some high-level recommendations that can help you prevent OneDrive ransomware attacks. You should protect your data technically – configure security settings for all software used on all machines, and configure your data backup. In addition to that, you should educate users about how to recognize possible attempts to initiate ransomware attacks because attackers often use one of a few methods to start OneDrive ransomware attacks via regular users.

Backup is the most reliable method for restoring data if ransomware corrupts your files. Use NAKIVO Backup & Replication to protect your data stored in OneDrive.

1 Year of Free Data Protection: NAKIVO Backup & Replication

1 Year of Free Data Protection: NAKIVO Backup & Replication

Deploy in 2 minutes and protect virtual, cloud, physical and SaaS data. Backup, replication, instant recovery options.

People also read