Ransomware detection and recovering your files

OneDrive (home or personal) OneDrive for Mac OneDrive for Windows

Productivity apps, 1 TB of OneDrive, and advanced security

Unlock now

Ransomware detection notifies you when your OneDrive files have been attacked and guides you through the process of restoring your files. Ransomware is a type of malicious software (malware) designed to block access to your files until you pay money.

When Microsoft 365 detects a ransomware attack, you'll get a notification on your device and receive an email from Microsoft 365. If you're not a subscriber, your first notification and recovery is free. See available plans.

  1. Click the link in the notification or in the email, or go to the OneDrive website, and we'll walk you through the recovery process, which includes:
  2. Confirm your files are infected.
  3. Clean all your devices.
  4. Restore your OneDrive.

https://support.content.office.net/en-us/media/7d9a7eee-0f81-4bef-8123-da913dad839b.png

Steps to the ransomware detection and recovery process on the OneDrive website

If Microsoft 365 detected a ransomware attack, you see the Signs of ransonware detected screen when you go to the OneDrive website (you might need to sign in first). Select the Get started button to begin.

https://support.content.office.net/en-us/media/d9fb8f21-8e93-45cd-95c2-fba8e6a888c4.png

Step 1: Confirm your files are infected

On the Do these files look right? screen, we'll show you some suspicious files. If they have the wrong name or suffix, or don't look right when you open them from the list, they're likely compromised by ransomware.

https://support.content.office.net/en-us/media/67999060-db33-4e44-b0f3-272dd4538628.png

  1. Select a file to open it in the online viewer. (This won't download the file to your device.)
  2. If you don't see the file, you'll have the option to download it to your device so can open it.
  3. Repeat steps 1 and 2 for as many files as you want to see.