Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware on my OneDrive


  • Please log in to reply
17 replies to this topic

#1 mikehextall

mikehextall

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:42 PM

Posted 16 May 2017 - 07:13 AM

I have recently been hit by the Ransomware virus and it got everything incuding the files in my Onedrive folder. Sadly these files have subsequently uploaded to Onedrive so I have lost all my business documents. Please spare me the lecture about backing up etc, I have heard it all several times already and have unfortunately learnt the hard way. My question is, should or do Microsoft back up my files on their own server incase of failures their end and should they be able to provide me with a copy of the files unharmed as a result??

 

Thanks

Mike


Edited by hamluis, 21 May 2017 - 05:50 PM.
Moved from Backup/Imaging to Ransomware - Hamluis.


BC AdBot (Login to Remove)

 


#2 smax013

smax013

  • BC Advisor
  • 2,329 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:42 AM

Posted 16 May 2017 - 07:31 AM

Which version of OneDrive are you using? Personal or Business?

I know that the Business version has "versioning" (i.e. ability to restore old versions) by way of a quick search. I believe the Personal version does as well, but could not easily verify that with a search.

If you do have versioning, then should should be able to restore an older version of the file...i.e. presumably one just before it was encrypted by the ransomware (I would assume that when the file was encrypted that the resulting encrypted file would be considered a new version, especially if the encryption also changed the name).

Just make sure you restore the files to a computer that does not have the ransomware on it (i.e. either after you have "cleaned" your computer or to another computer not hit).

#3 mikehextall

mikehextall
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:42 PM

Posted 16 May 2017 - 07:36 AM

Which version of OneDrive are you using? Personal or Business?

I know that the Business version has "versioning" (i.e. ability to restore old versions) by way of a quick search. I believe the Personal version does as well, but could not easily verify that with a search.

If you do have versioning, then should should be able to restore an older version of the file...i.e. presumably one just before it was encrypted by the ransomware (I would assume that when the file was encrypted that the resulting encrypted file would be considered a new version, especially if the encryption also changed the name).

Just make sure you restore the files to a computer that does not have the ransomware on it (i.e. either after you have "cleaned" your computer or to another computer not hit).

That sounds promising, how do I get at this "versioning" is it in a right click menu or perhaps somewhere in the Webportal?



#4 smax013

smax013

  • BC Advisor
  • 2,329 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:42 AM

Posted 16 May 2017 - 07:41 AM

That sounds promising, how do I get at this "versioning" is it in a right click menu or perhaps somewhere in the Webportal?


That is kind of why I asked which version you were using. For the Business version, it appears you can get to them through the webpage/portal access for your OneDrive account (and this is also how Dropbox works...which why I assumed that OneDrive offered the same ability and did a search). For the Personal version, it was less clear, but appeared to maybe be done through the desktop app. I did not want to spend on a lot of time searching until I knew which version you had.

#5 mikehextall

mikehextall
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:42 PM

Posted 16 May 2017 - 07:43 AM

 

That sounds promising, how do I get at this "versioning" is it in a right click menu or perhaps somewhere in the Webportal?


That is kind of why I asked which version you were using. For the Business version, it appears you can get to them through the webpage/portal access for your OneDrive account (and this is also how Dropbox works...which why I assumed that OneDrive offered the same ability and did a search). For the Personal version, it was less clear, but appeared to maybe be done through the desktop app. I did not want to spend on a lot of time searching until I knew which version you had.

 

Well I am at work so cannot confirm which version it is. What I do know is that there is a "Business" folder in my onedrive but not sure if that means anything in regards to what version it is. I will give it a try when I get home.



#6 smax013

smax013

  • BC Advisor
  • 2,329 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:42 AM

Posted 16 May 2017 - 07:58 AM

Well I am at work so cannot confirm which version it is. What I do know is that there is a "Business" folder in my onedrive but not sure if that means anything in regards to what version it is. I will give it a try when I get home.


If it is on a home computer, then odds a pretty good that it is the Personal version. The Business version is aimed more at companies with multiple users, so 1) it will cost money (you can get a "basic" Personal OneDrive account for free, but you are limited to 5 GB); and 2) you pay per user. If you have more than 5 GB of storage on OneDrive, then you do not have a free account. If you paid for Office 365 (either $70 per year for one computer or $100 for 5 computers for personal/home plans), then you got OneDrive as part of that.

I did find the following page for dealing with OneDrive Personal. From looking at that page, it looks like the versioning on OneDrive only works with Office documents. I don't know that is true or not as I am not current using my OneDrive (I do have Office 365).

https://answers.microsoft.com/en-us/onedrive/forum/odoptions-oddesktop/enable-version-history-in-one-drive/05b75ffa-0ca2-4e0b-945c-9bd0f50348ec

I did create a quick Word document online and made changes to it. I could then go to the versions of that Word document in OneDrive using the browser. So, the Personal does have versioning for at least Office documents.

#7 mikehextall

mikehextall
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:42 PM

Posted 16 May 2017 - 08:00 AM

 

Well I am at work so cannot confirm which version it is. What I do know is that there is a "Business" folder in my onedrive but not sure if that means anything in regards to what version it is. I will give it a try when I get home.


If it is on a home computer, then odds a pretty good that it is the Personal version. The Business version is aimed more at companies with multiple users, so 1) it will cost money (you can get a "basic" Personal OneDrive account for free, but you are limited to 5 GB); and 2) you pay per user. If you have more than 5 GB of storage on OneDrive, then you do not have a free account. If you paid for Office 365 (either $70 per year for one computer or $100 for 5 computers for personal/home plans), then you got OneDrive as part of that.

I did find the following page for dealing with OneDrive Personal. From looking at that page, it looks like the versioning on OneDrive only works with Office documents. I don't know that is true or not as I am not current using my OneDrive (I do have Office 365).

https://answers.microsoft.com/en-us/onedrive/forum/odoptions-oddesktop/enable-version-history-in-one-drive/05b75ffa-0ca2-4e0b-945c-9bd0f50348ec

I did create a quick Word document online and made changes to it. I could then go to the versions of that Word document in OneDrive using the browser. So, the Personal does have versioning for at least Office documents.

 

That is the best news I have heard since Saturday morning, I will check later and confirm. Thank you so much for taking the time to find out.



#8 smax013

smax013

  • BC Advisor
  • 2,329 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:42 AM

Posted 16 May 2017 - 08:14 AM

That is the best news I have heard since Saturday morning, I will check later and confirm. Thank you so much for taking the time to find out.


No problem. Glad to help. Hopefully, you did not take my "nagging" about backing up in my signature as a lecture (even though that is kind of why it is there)! :grinner:

Just out of curiosity, was this ransomeware due to this recent widespread attack? I ask because it if it not and is an older ransonware, then there might be a way to remove it and decrypt the files. Have you posted to the Ransonware Help forum on this forum site? They might be able to help if it is an older ransonware.

#9 mikehextall

mikehextall
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:42 PM

Posted 16 May 2017 - 08:29 AM

 

That is the best news I have heard since Saturday morning, I will check later and confirm. Thank you so much for taking the time to find out.


No problem. Glad to help. Hopefully, you did not take my "nagging" about backing up in my signature as a lecture (even though that is kind of why it is there)! :grinner:

Just out of curiosity, was this ransomeware due to this recent widespread attack? I ask because it if it not and is an older ransonware, then there might be a way to remove it and decrypt the files. Have you posted to the Ransonware Help forum on this forum site? They might be able to help if it is an older ransonware.

 

I believe it is related to the recent attack and I have posted in this forum but have been told that there is currently no way of decrypting the file currently. All I can do is archive them and hope one day someone gets the master key.



#10 smax013

smax013

  • BC Advisor
  • 2,329 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:42 AM

Posted 16 May 2017 - 08:36 AM

I believe it is related to the recent attack and I have posted in this forum but have been told that there is currently no way of decrypting the file currently. All I can do is archive them and hope one day someone gets the master key.


Yeah, after I posted that reply I got the brilliant idea to check your other topics and saw your other topic. Hopefully, you can at least get some stuff back by way of OneDrive.

#11 mikehextall

mikehextall
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:42 PM

Posted 16 May 2017 - 08:42 AM

 

I believe it is related to the recent attack and I have posted in this forum but have been told that there is currently no way of decrypting the file currently. All I can do is archive them and hope one day someone gets the master key.


Yeah, after I posted that reply I got the brilliant idea to check your other topics and saw your other topic. Hopefully, you can at least get some stuff back by way of OneDrive.

 

The other stuff is things I can do without like music and games etc, all my pictures are thankfully backed up to Google Photos. The one thing I lost that crippled me the most was my business files, all the templates I used and my accounting spreadsheet. Fortunately though the hacker mentioned in his ransome note that he would decrypt 5 files for me to prove he could and he kindly decrypted the two business files I needed the most lol.



#12 RolandJS

RolandJS

  • Members
  • 4,520 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:10:42 AM

Posted 16 May 2017 - 11:13 AM

BC recommends this place:  https://id-ransomware.malwarehunterteam.com/  Have you already tried this site?


"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)


#13 mikehextall

mikehextall
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:42 PM

Posted 16 May 2017 - 11:24 AM

BC recommends this place:  https://id-ransomware.malwarehunterteam.com/  Have you already tried this site?

I have now got back just about every file I had one Onedrive. It appears as though when the files got encrypted all the original files got shoved into the Recycle bin, every single file is there from Saturday which is when the virus struck.



#14 smax013

smax013

  • BC Advisor
  • 2,329 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:42 AM

Posted 17 May 2017 - 12:56 AM

BC recommends this place:  https://id-ransomware.malwarehunterteam.com/  Have you already tried this site?

I have now got back just about every file I had one Onedrive. It appears as though when the files got encrypted all the original files got shoved into the Recycle bin, every single file is there from Saturday which is when the virus struck.


Glad to hear it. That is the advantage of online sync services...they can act as a form of a backup.

#15 MDD1963

MDD1963

  • Members
  • 699 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 25 May 2017 - 02:51 AM

 

BC recommends this place:  https://id-ransomware.malwarehunterteam.com/  Have you already tried this site?

I have now got back just about every file I had one Onedrive. It appears as though when the files got encrypted all the original files got shoved into the Recycle bin, every single file is there from Saturday which is when the virus struck.

 

Pretty incompetent of the ransomware writers, ....fortunately!


Asus Z270A Prime/7700K/32 GB DDR4-3200/GTX1060





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users