Ransomware detection and recovering your files

Ransomware detection notifies you when your OneDrive files have been attacked and guides you through the process of restoring your files. Ransomware is a type of malicious software (malware) designed to block access to your files until you pay money.

When Microsoft 365 detects a ransomware attack, you'll get a notification on your device and receive an email from Microsoft 365. If you're not a subscriber, your first notification and recovery is free. See available plans.

  1. Click the link in the notification or in the email, or go to the OneDrive website, and we'll walk you through the recovery process, which includes:

  2. Confirm your files are infected.

  3. Clean all your devices.

  4. Restore your OneDrive.

Screenshot of the Ransomware Detection email from Microsoft

Steps to the ransomware detection and recovery process on the OneDrive website

If Microsoft 365 detected a ransomware attack, you see the Signs of ransonware detected screen when you go to the OneDrive website (you might need to sign in first). Select the Get started button to begin.

Screenshot of the Signs of ransomware detected screen on the OneDrive website

Step 1: Confirm your files are infected

On the Do these files look right? screen, we'll show you some suspicious files. If they have the wrong name or suffix, or don't look right when you open them from the list, they're likely compromised by ransomware.

Screenshot of the Do these files look right screen on the OneDrive website

  1. Select a file to open it in the online viewer. (This won't download the file to your device.)

  2. If you don't see the file, you'll have the option to download it to your device so can open it.

  3. Repeat steps 1 and 2 for as many files as you want to see.

  4. If your files are infected, select My files are infected to move to the next step in the ransomware recovery process. Otherwise, if your files look fine and you're confident they aren't infected with ransomware, select My files are ok.

    If you choose My files are ok, you'll exit the ransomware recovery process and you'll go back to using OneDrive as usual.

Step 2: Clean all your devices

On the Clean all your devices screen, you'll see instructions for cleaning all your devices where you use OneDrive. Before you restore your files, it's important to use anivirus software to clean all your devices. Otherwise, your files could get encrypted again when you restore them.

Screenshot of the Clean all your devices screen on the OneDrive website

  1. Select the link for the version of Windows that you're using and follow the instructions in the article.

  2. Repeat step 1 for all the other devices where you use OneDrive.

  3. After completing the steps in the articles, return to the Clean all your devices page on the OneDrive website and choose one of these buttons:

    • All my devices are clean. Select this button when you've finished cleaning all your devices, and you're ready to move to the last step in the recovery process, which is to restore your files from OneDrive.

    • Antivirus can't clean all my devices. Select this button after you're tried to clean your devices and discovered that you can't clean all your devices for whatever reason. You'll now be on the Reset devices page, which lists information about how to reset your devices.

      Screenshot of the Rest devices screen on the OneDrive website

      Follow the links based on your operating system. When you've cleaned or reset all your devices, go back to the OneDrive website to return to the Reset devices page, select the My devices are all clean or reset box, and then select OK.

Step 3: Restore your files from OneDrive

The final step after all your devices are clean is to restore your OneDrive.

When you reach this step, the time and date that ransomware was detected will automatically be selected for you.

Learn more

Find lost or missing files in OneDrive

View previous versions of Office files

How malware can infect your PC

Learn more about Microsoft 365 advanced protection

Need more help?

Contact support icon

Contact Support
For help with your Microsoft account and subscriptions, visit Account & Billing Help.

For technical support, go to Contact Microsoft Support, enter your problem and select Get Help. If you still need help, select Contact Support to be routed to the best support option.

Work or school badge

Admins
Admins should view Help for OneDrive Admins, the OneDrive Tech Community or contact Microsoft 365 for business support.

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

What affected your experience?

Thank you for your feedback!

×