Ransomware detection and recovering your files

Ransomware detection and recovering your files

Productivity apps, 1 TB of OneDrive, and advanced security.

Get a month free

Ransomware detection notifies you when your OneDrive files have been attacked and guides you through the process of restoring your files. Ransomware is a type of malicious software (malware) designed to block access to your files until you pay money.

When Microsoft 365 detects a ransomware attack, you'll get a notification on your device and receive an email from Microsoft 365. If you're not a subscriber, your first notification and recovery is free. See available plans.

  1. Click the link in the notification or in the email, or go to the OneDrive website, and we'll walk you through the recovery process, which includes:

  2. Confirm your files are infected.

  3. Clean all your devices.

  4. Restore your OneDrive.

Screenshot of the Ransomware Detection email from Microsoft

Steps to the ransomware detection and recovery process on the OneDrive website

If Microsoft 365 detected a ransomware attack, you see the Signs of ransonware detected screen when you go to the OneDrive website (you might need to sign in first). Select the Get started button to begin.

Screenshot of the Signs of ransomware detected screen on the OneDrive website

Step 1: Confirm your files are infected

On the Do these files look right? screen, we'll show you some suspicious files. If they have the wrong name or suffix, or don't look right when you open them from the list, they're likely compromised by ransomware.

Screenshot of the Do these files look right screen on the OneDrive website

  1. Select a file to open it in the online viewer. (This won't download the file to your device.)

  2. If you don't see the file, you'll have the option to download it to your device so can open it.

  3. Repeat steps 1 and 2 for as many files as you want to see.

  4. If your files are infected, select My files are infected to move to the next step in the ransomware recovery process. Otherwise, if your files look fine and you're confident they aren't infected with ransomware, select My files are ok.

    If you choose My files are ok, you'll exit the ransomware recovery process and you'll go back to using OneDrive as usual.

Step 2: Clean all your devices

On the Clean all your devices screen, you'll see instructions for cleaning all your devices where you use OneDrive. Before you restore your files, it's important to use anivirus software to clean all your devices. Otherwise, your files could get encrypted again when you restore them.

Screenshot of the Clean all your devices screen on the OneDrive website

  1. Select the link for the version of Windows that you're using and follow the instructions in the article.

  2. Repeat step 1 for all the other devices where you use OneDrive.

  3. After completing the steps in the articles, return to the Clean all your devices page on the OneDrive website and choose one of these buttons:

    • All my devices are clean. Select this button when you've finished cleaning all your devices, and you're ready to move to the last step in the recovery process, which is to restore your files from OneDrive.

    • Antivirus can't clean all my devices. Select this button after you're tried to clean your devices and discovered that you can't clean all your devices for whatever reason. You'll now be on the Reset devices page, which lists information about how to reset your devices.

      Screenshot of the Rest devices screen on the OneDrive website

      Follow the links based on your operating system. When you've cleaned or reset all your devices, go back to the OneDrive website to return to the Reset devices page, select the My devices are all clean or reset box, and then select OK.

Step 3: Restore your files from OneDrive

The final step after all your devices are clean is to restore your OneDrive.

When you reach this step, the time and date that ransomware was detected will automatically be selected for you.

Learn more

Find lost or missing files in OneDrive

View previous versions of Office files

How malware can infect your PC

Office 365 advanced protection

Need more help?


Get online help
See more support pages for OneDrive and OneDrive for work or school.
For the OneDrive mobile app, see Troubleshoot OneDrive mobile app problems.

OneDrive Admins can also view the OneDrive Tech Community, Help for OneDrive for Admins.

Microsoft virtual support agent icon

Contact Support
If you still need help, contact support through your browser or shake your mobile device while you're in the OneDrive app.

OneDrive Admins can contact Microsoft 365 for business support.

Office 365 community forums

Got feedback?
OneDrive UserVoice is your place to suggest the features you’d like to see us add to OneDrive. While we can’t guarantee any specific features or timelines, we will respond to every suggestion that gets at least 500 votes.

Go to the OneDrive UserVoice.

Need more help?

Expand your Office skills
Explore training
Get new features first
Join Office Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.