When ransomware encrypts or renames your files, OneDrive for Business file restore should roll back to a clean version. But sometimes the restore applies a version that still contains encrypted data or is missing recent legitimate changes. This happens because the restore point you selected may include files that were already compromised before the attack or because the restore range does not cover the correct time window. This guide explains why the wrong version gets restored and provides step-by-step fixes to recover the correct files.
Key Takeaways: Restore the Correct OneDrive Files After Ransomware
- OneDrive web > Settings > Restore your OneDrive: Use the activity log to select a restore point that predates the ransomware encryption, not the first clean version you see.
- Check file version history: Right-click a file in OneDrive web and select Version history to verify that the pre-encryption version exists before running a bulk restore.
- Use Known Folder Move backup: If Desktop, Documents, and Pictures are redirected to OneDrive, restore those folders separately from the main OneDrive library to avoid mixing versions.
Why OneDrive Restores the Wrong Version After Ransomware
OneDrive for Business file restore works by scanning your activity log and presenting a timeline of file changes. When you choose a restore point, OneDrive reverts every file in your library to the state it was in at that specific time. The problem is that ransomware often encrypts files in waves, and legitimate file edits may have occurred between the start of the attack and the moment you notice it. If you select a restore point that is too early, you lose legitimate changes. If you select one that is too late, some files may still be encrypted.
Another cause is that OneDrive file restore works on the entire library, not on individual files. If ransomware only affected a subset of files, the restore still rewinds every file in your OneDrive. This can reintroduce old versions of files that were intentionally updated after the restore point. Additionally, OneDrive version history keeps up to 500 major versions per file. If a file has been edited hundreds of times, the pre-encryption version may be buried deep in the list and not appear in the default restore timeline.
The Role of Ransomware Encryption Patterns
Ransomware does not always encrypt all files at once. Some variants encrypt files one by one over several hours. This means that at any given restore point, some files are still clean while others are already encrypted. OneDrive file restore treats all files at the same timestamp, so a single restore point cannot fix a staggered attack. You must identify the exact time when each file was last clean, which the default restore tool does not do.
Steps to Identify and Restore the Correct Version
Follow these steps to recover the correct files after a ransomware attack. Do not run a bulk restore until you confirm that the restore point includes clean versions of your critical files.
- Check the OneDrive activity log for the attack start time
Sign in to OneDrive web at onedrive.live.com. Click the Settings gear icon, then select Restore your OneDrive. The activity log shows file changes in reverse chronological order. Look for a pattern of files being renamed or having their content replaced. Note the timestamp of the first suspicious activity. This is the time you must restore to or before. - Verify file version history for a critical file
Right-click a file that you know was encrypted. Select Version history. Review the list of saved versions. Each version shows a timestamp and the user who saved it. Find the last version that was saved before the attack start time you noted in step 1. If that version is clean, the restore point is valid. If not, you need an earlier restore point. - Select a restore point that predates all encryption
Go back to Restore your OneDrive. The timeline shows suggested restore points based on suspicious activity. Click Custom date and time, then enter a date and time that is at least one hour before the first suspicious activity you identified. Do not use the suggested points unless you have verified them with version history. - Preview the restore impact before applying
OneDrive file restore shows a preview of how many files will be changed and how many will be restored. Review the list of affected files. If you see files that should not be changed, cancel the restore and choose a different date. If the preview shows only the files you expect, click Restore. - Restore individual files if the bulk restore fails
If the bulk restore still returns wrong versions, restore files one by one using version history. Right-click each encrypted file, select Version history, find the clean version, and click Restore. This method is slower but guarantees the correct version for each file.
If OneDrive File Restore Still Returns the Wrong Version
Even after following the steps above, you may encounter specific failure patterns. Each has a different cause and fix.
Restore point shows zero files to recover
This happens when the restore point you selected is after the ransomware encrypted the files. OneDrive sees the encrypted version as the current version and finds nothing to restore. Go back to step 3 and choose a date at least two hours before the attack. If the activity log does not go back far enough, contact your Microsoft 365 admin to extend version history retention beyond the default 30 days.
Restored files are still encrypted or corrupted
The restore point you selected was during the encryption window. Some files were already encrypted when the restore point was created. Use version history to restore those specific files individually. To avoid this in the future, create a manual restore point immediately after detecting ransomware by using the Restore your OneDrive tool and selecting the current time as the restore point. This gives you a known clean baseline.
OneDrive file restore reverts files that were not affected by ransomware
This is by design. OneDrive file restore rewinds the entire library to the selected timestamp. Files that were edited after the restore point will lose those changes. To prevent this, move unaffected files to a different folder or another OneDrive library before running the restore. After the restore, copy them back. Alternatively, use version history to restore only the affected files.
File Restore Methods: Bulk vs Individual Version History
| Item | Bulk Restore | Individual Version History |
|---|---|---|
| Scope | All files in the OneDrive library | Single file at a time |
| Speed | Fast for large libraries | Slow for many files |
| Version accuracy | Restores all files to the same timestamp | You pick the exact version per file |
| Risk of data loss | May revert legitimate changes made after the restore point | No risk to other files |
| Best use case | Ransomware that encrypted all files at once | Staggered encryption or only a few files affected |
You can now identify the correct restore point and recover files after a ransomware attack without losing legitimate changes. After restoring, verify each critical file by opening it in its native application. To prevent future data loss, enable OneDrive Files On-Demand and set version history retention to at least 60 days in the Microsoft 365 admin center. A practical tip: create a test folder with dummy files and run a trial restore immediately after configuring retention to confirm the restore process works as expected.