You have a ransomware attack on your OneDrive files. You use the OneDrive file restore feature to recover your data. But the restored files are not the version you need. They might be from a date after the ransomware encrypted them, or they might be missing changes you made before the attack. This article explains why the file restore feature can return the wrong version and how to select the correct restore point and verify your files.
Key Takeaways: Restoring the Correct OneDrive Files After Ransomware
- OneDrive web > Settings > Restore your OneDrive: Opens the file restore wizard where you pick a date and time range for recovery.
- Activity log in the restore wizard: Shows file changes by date; ransomware activity appears as a spike in modifications or deletions.
- 30-day version history: Lets you manually restore a single file to a specific earlier version without using the bulk restore feature.
Why the File Restore Feature Returns the Wrong Version
The OneDrive file restore feature works by scanning the activity log for your OneDrive. It identifies all changes made during a time period you specify. When you select a date, OneDrive reverts every file that was modified, deleted, or added during that period to its state from the start of the period. The root cause of getting the wrong version is that the restore point you selected is after the ransomware started modifying your files. If you pick a restore time that is too late, you restore encrypted copies instead of clean ones. Another common cause is that ransomware may have uploaded new versions of files over several hours or days. You need a restore point before the first malicious change.
OneDrive keeps file versions for 30 days for business users. The restore wizard shows you a timeline of activity. If you do not scroll back far enough, you miss the pre-ransomware state. Additionally, the restore feature works on the entire OneDrive or a selected folder. You cannot restore only specific file types or exclude certain folders in the wizard.
Steps to Identify and Restore the Correct Version
Follow these steps to determine the exact time when your files were clean and perform a restore to that point.
- Sign in to OneDrive on the web
Open a browser and go to https://onedrive.live.com. Sign in with your work or school account that has the affected files. - Open the Restore your OneDrive wizard
Click the Settings gear icon in the upper-right corner. Select Restore your OneDrive from the menu. The wizard opens and shows a timeline of your OneDrive activity. - Analyze the activity log for ransomware patterns
Look at the graph at the top of the wizard. It shows the number of files changed per day. A sudden spike in modifications or deletions usually indicates ransomware activity. Note the date when the spike begins. You need to restore to a date before that spike. - Select a restore point before the attack
Use the date picker below the graph. Choose a date and time that is at least 24 hours before the first suspicious activity. For example, if the spike starts on March 10, choose March 8 at 11:59 PM. Click Next. - Preview the files that will be restored
The wizard shows a list of files that will be reverted. Scroll through the list. Look for file names you recognize as clean. If the list contains files that appear to be encrypted names or extensions, you may still be too late. Go back and choose an earlier date. - Run the restore
When you are satisfied with the preview, click Restore. OneDrive begins reverting the files. The process can take from a few minutes to several hours depending on the number of files. You receive an email when the restore completes. - Verify a sample of restored files
Open a few files from different folders. Check that the content is the expected pre-ransomware version. If you still see encrypted content, repeat the process with an earlier restore point.
If the Bulk Restore Still Returns Wrong Versions
When the bulk restore wizard repeatedly gives you the wrong version, use the manual version history feature for critical files. Right-click a file in OneDrive on the web and select Version history. A panel opens showing all saved versions with timestamps. Click the three dots next to a version from before the attack and select Restore. This method lets you pick an exact version per file. It is slower for many files but guarantees precision.
If OneDrive File Restore Still Has Issues After the Main Fix
OneDrive restores files but they are still encrypted
If the restored files remain encrypted, the ransomware may have modified files silently over several days. The activity log might not show a clear spike. In this case, restore to a point at least one week before you first noticed the attack. You can also use the Version history on a single file to find a version that is clearly not encrypted. Note the date of that version and use it as your restore point in the wizard.
OneDrive undo restore does not work
After a restore, OneDrive gives you a link to undo the restore for 30 days. If the undo does not work, the 30-day window may have expired or the restore changed too many files. You can still use Version history on individual files to revert them to the post-restore state if needed. For a full rollback, contact Microsoft support within 30 days of the restore.
OneDrive file restore is grayed out or unavailable
The restore feature is only available to users with a OneDrive for Business license. If the option is grayed out, your IT admin may have disabled it in the SharePoint admin center under Settings > OneDrive > Restore OneDrive. Contact your admin to enable it. Alternatively, your OneDrive may have version history disabled. Check with your admin to verify that version history is set to at least 14 days.
| Item | Bulk Restore (Restore Your OneDrive) | Manual Version History |
|---|---|---|
| Scope | Entire OneDrive or selected folders | Single files only |
| Restore point selection | Date and time based on activity log | Exact version from a list of all saved versions |
| Time to complete | Minutes to hours | Seconds per file |
| Risk of wrong version | Higher if restore point is too late | Lower because you pick the specific version |
| Best for | Recovering many files quickly after a known attack time | Recovering critical files when the attack time is uncertain |
You now know why the OneDrive file restore feature can return the wrong version after a ransomware attack. The key is to identify the exact time the ransomware started modifying files and restore to a point before that time. Use the activity log in the restore wizard to find the attack spike. If the bulk restore still gives wrong versions, switch to manual version history for each file. As an advanced tip, enable OneDrive Files On-Demand so that local copies are not automatically synced during an attack, giving you a clean local backup to fall back on.