When you use the OneDrive admin restore feature to recover files after a ransomware attack, you may find that restored files contain the wrong version. This happens because the restore point you select captures the state of files at a specific moment, but ransomware can modify files multiple times before you notice the attack. This article explains why the wrong version appears and provides a structured checklist to ensure you restore the correct, clean version of your files.
Key Takeaways: Restoring the Correct OneDrive Files After Ransomware
- OneDrive admin center > Restore OneDrive > Select a date and time: Choose a restore point before the first ransomware encryption event, not after the attack started.
- Version history on individual files: Use this to restore a specific earlier version if the bulk restore point includes partially encrypted files.
- Known Folder Move backup: Check desktop, Documents, and Pictures folders separately because ransomware often targets these first.
Why OneDrive File Restore May Return the Wrong Version After Ransomware
The OneDrive file restore feature works by rolling back all files in a user’s OneDrive to their state at a specific date and time. Ransomware typically encrypts files in waves over several minutes or hours. If you select a restore point that is too late, you restore files that are already encrypted. If you select a point that is too early, you may lose any legitimate changes made after that point. The core problem is that ransomware often leaves partial encryption traces or renames files, and the restore feature does not distinguish between malicious and legitimate changes. It simply rewrites every file to the chosen point-in-time state.
How Ransomware Modifies File Version History
Ransomware does not just encrypt the current file version. It also writes encrypted copies into the version history. When you run a bulk restore, OneDrive restores the file version that existed at the selected time. If the ransomware encrypted the file at 10:15 AM and you restore to 10:20 AM, you get the encrypted version. The version history may show multiple encrypted versions. Only the version immediately before the first encryption event is clean.
The Role of Sync Client Latency
The OneDrive sync client does not upload changes instantly. There is a delay of seconds to minutes depending on file size and network speed. If the ransomware encrypts files faster than the sync client uploads, the cloud may never receive the clean version. In that case, the restore point you choose may have no clean version to revert to. This is more common when ransomware targets offline or slow-connected devices.
Checklist: How to Restore the Correct OneDrive Version After Ransomware
Follow these steps in order. Do not skip any step. Each step reduces the risk of restoring encrypted files.
- Isolate the infected device immediately
Disconnect the device from the network and sign out of OneDrive. This prevents the ransomware from syncing more encrypted files to the cloud. Do not delete the local files yet — they may be needed for forensic analysis. - Determine the earliest encryption timestamp
Check the ransomware note creation time, file modification dates on a sample of encrypted files, or your security software logs. Identify the date and time of the first encryption event. Write this timestamp down. You will use it to select a restore point. - Open the OneDrive admin center
Go to Microsoft 365 admin center > Health > OneDrive admin center. Select the affected user from the list. - Start the file restore wizard
Click Restore OneDrive in the toolbar. The restore wizard opens. - Set the restore point to 24 hours before the first encryption
In the Restore to a date and time field, select a time at least 24 hours before the earliest encryption timestamp. This ensures you capture a clean version. Do not choose a time after the encryption started. - Select the files to restore
By default, all files are selected. If you know specific folders were not affected, you can exclude them to speed up the restore. For ransomware recovery, restore all files to be safe. - Run the restore and monitor progress
Click Restore. OneDrive shows a progress bar. The restore may take several hours for large libraries. Do not close the browser window. - Verify a sample of restored files
After the restore completes, open three to five files from different folders. Check that they open correctly and contain expected content. If any file is still encrypted, note its name and timestamp. - Use version history for files that remain encrypted
For each problematic file, right-click it in OneDrive and select Version history. Sort versions by date descending. Find the last version dated before the encryption timestamp. Click the three dots and select Restore. - Check Known Folder Move folders separately
If the user uses Known Folder Move, go to the Desktop, Documents, and Pictures folders in OneDrive. Repeat steps 4 through 9 for each folder if they were not included in the bulk restore.
If OneDrive File Restore Still Shows the Wrong Version
Even after following the checklist, some files may remain corrupted. This section covers specific failure patterns and their fixes.
OneDrive Restore Completed but Files Are Still Encrypted
This means the restore point you selected was after the encryption started. The version history also contains only encrypted versions. In this case, you need to recover from a backup outside OneDrive. Check your Microsoft 365 retention policy or third-party backup solution. If you have a backup from before the attack, restore from that instead.
OneDrive Restore Reverted Legitimate Changes
If you selected a restore point that is too early, you lose changes made after that point. To recover those changes, use version history on each affected file. Find the version with the legitimate changes and restore it. This is manual work but it is the only way to merge clean versions with post-restore changes.
Ransomware Deleted Files Instead of Encrypting Them
Some ransomware variants delete files after encryption. The OneDrive restore feature can recover deleted files if you select a restore point before the deletion. If the deletion happened after encryption, the restore point must be before the encryption timestamp. Files deleted more than 30 days ago may be in the recycle bin. Check the OneDrive recycle bin first, then run the restore.
OneDrive Restore vs Version History: When to Use Each
| Item | OneDrive File Restore | Version History |
|---|---|---|
| Scope | All files in the user’s OneDrive at once | Single file at a time |
| Restore point precision | Date and time rounded to the minute | Each saved version with exact timestamp |
| Best use case | Bulk recovery after ransomware with known clean point | Recovering one or a few files with specific version needs |
| Risk of restoring encrypted content | High if restore point is too late | Low if you manually pick a pre-encryption version |
| Time to complete | Minutes to hours | Seconds per file |
Use the file restore feature as your primary tool for ransomware recovery because it is faster for bulk operations. Use version history only for files that the bulk restore could not fix. Combining both methods gives you the highest chance of recovering clean files.
You can now restore OneDrive files after a ransomware attack with confidence that you will get the correct version. Start by isolating the infected device and identifying the earliest encryption timestamp. Then use the OneDrive admin center restore wizard with a restore point at least 24 hours before that timestamp. For any remaining corrupted files, use version history to restore individual clean versions. As an advanced tip, enable Microsoft 365 retention labels with a 90-day retention period to create an independent backup layer that the sync client cannot overwrite.