How OneDrive protects against ransomware
Short answer: OneDrive maintains a version history for every file it syncs. When ransomware encrypts files on your laptop and the OneDrive desktop app syncs those encrypted versions to the cloud, Microsoft detects the unusual mass-upload pattern and may automatically alert you. Even without that alert, the Files Restore feature lets you roll back your entire OneDrive to a specific point in time — up to 30 days before — undoing the ransomware's encrypted versions and replacing them with the clean originals. This feature exists specifically because ransomware is one of the most common data-loss scenarios Microsoft encounters globally.
Step-by-step OneDrive ransomware rollback
Step 1: Isolate the infected device immediately
Before opening a browser or touching OneDrive, disconnect the infected laptop from Wi-Fi and unplug any Ethernet cable. Every minute the laptop stays connected, the OneDrive sync client may be uploading more encrypted files. Once isolated, the cloud copy stops receiving new damage. Do not sign out of OneDrive or pause sync from the taskbar icon — simply disconnecting the network is sufficient and safer.
Step 2: Access OneDrive Files Restore on a different, clean device
On a clean device (a different laptop, phone, or tablet), open a browser and go to onedrive.live.com or your organisation's M365 portal. Sign in with the affected account. Click the Settings gear (top right) → Restore your OneDrive. You'll see an activity graph showing file modifications over time. The spike in activity representing the ransomware encryption event is usually visible as a sudden peak. Set the date slider to a point before that spike — a few hours before the attack is ideal — and click Restore.
Step 3: Verify restored files before reconnecting the laptop
After the rollback completes, spot-check several restored files directly in OneDrive on the web to confirm they open correctly. Encrypted ransomware files typically have a different file extension (.locked, .encrypted, a random string) or are unreadable when opened. After verifying the restored files look correct, the infected laptop needs to be cleaned (malware removed or OS reinstalled) before reconnecting to the internet and re-enabling OneDrive sync. Reconnecting without cleaning means the ransomware will re-encrypt files and re-upload them.
Step 4: The India angle — ransomware spread patterns in Indian offices
The ransomware incidents we see in Hyderabad IT offices typically start with a phishing email (fake invoice or HR document) that an employee opens on their work laptop. The malware spreads across the local network drive, encrypts shared folders, and if OneDrive sync is mapping a network drive to OneDrive, the encrypted versions sync up. The most common gap: employees use personal Microsoft accounts (with free OneDrive) rather than M365 Business accounts. Free OneDrive has per-file version history but no bulk Files Restore rollback — meaning recovery requires restoring file versions individually, which is impractical for hundreds of files. Our ransomware recovery guide covers the broader response steps.
When to call a recovery service (and what it costs in India)
When DIY ends
Stop and call a professional if: the ransomware also encrypted local files not in OneDrive (common for files on the Desktop or Documents if those weren't included in the sync), the attack deleted shadow copies (VSS snapshots) preventing Windows-level recovery, or the laptop itself needs a clean OS reinstall after malware removal.
Typical cost in India
OneDrive rollback guidance (admin assistance): ₹1,500–₹4,000. Local file recovery via shadow copy (if not deleted): ₹3,000–₹8,000. Full ransomware remediation including OS reinstall and data verification: ₹5,000–₹15,000. See our data recovery service and the M365 mailbox recovery guide for related scenarios.
A note from the LRW Engineer Team
OneDrive's ransomware protection is genuinely useful, but it only works for files that were already synced to OneDrive before the attack. Files created after the last successful sync, or files in locations not covered by OneDrive, are unprotected. The practical recommendation: configure OneDrive to sync your entire Documents, Desktop, and Pictures folders (via OneDrive's Known Folder Move feature) so that everything important is covered. It takes three minutes to set up and potentially saves everything.