Ransomware detection notifies you when your OneDrive files have been attacked and guides you through the process of restoring your files. Ransomware is a type of malicious software (malware) designed to block access to your files until you pay money.
When Microsoft 365 detects a ransomware attack, you'll get a notification on your device and receive an email from Microsoft 365. If you're not a subscriber, your first notification and recovery is free. See available plans.
Steps to the ransomware detection and recovery process on the OneDrive website
If Microsoft 365 detected a ransomware attack, you see the Signs of ransonware detected screen when you go to the OneDrive website (you might need to sign in first). Select the Get started button to begin.
Step 1: Confirm your files are infected
On the Do these files look right? screen, we'll show you some suspicious files. If they have the wrong name or suffix, or don't look right when you open them from the list, they're likely compromised by ransomware.
Select a file to open it in the online viewer. (This won't download the file to your device.)
If you don't see the file, you'll have the option to download it to your device so can open it.
Repeat steps 1 and 2 for as many files as you want to see.
If your files are infected, select My files are infected to move to the next step in the ransomware recovery process. Otherwise, if your files look fine and you're confident they aren't infected with ransomware, select My files are ok.
If you choose My files are ok, you'll exit the ransomware recovery process and you'll go back to using OneDrive as usual.
Step 2: Clean all your devices
On the Clean all your devices screen, you'll see instructions for cleaning all your devices where you use OneDrive. Before you restore your files, it's important to use anivirus software to clean all your devices. Otherwise, your files could get encrypted again when you restore them.
Select the link for the version of Windows that you're using and follow the instructions in the article.
Repeat step 1 for all the other devices where you use OneDrive.
After completing the steps in the articles, return to the Clean all your devices page on the OneDrive website and choose one of these buttons:
All my devices are clean. Select this button when you've finished cleaning all your devices, and you're ready to move to the last step in the recovery process, which is to restore your files from OneDrive.
Antivirus can't clean all my devices. Select this button after you're tried to clean your devices and discovered that you can't clean all your devices for whatever reason. You'll now be on the Reset devices page, which lists information about how to reset your devices.
Follow the links based on your operating system. When you've cleaned or reset all your devices, go back to the OneDrive website to return to the Reset devices page, select the My devices are all clean or reset box, and then select OK.
Step 3: Restore your files from OneDrive
The final step after all your devices are clean is to restore your OneDrive.
When you reach this step, the time and date that ransomware was detected will automatically be selected for you.
Need more help?
For technical support, go to Contact Microsoft Support, enter your problem and select Get Help. If you still need help, select Contact Support to be routed to the best support option.