After a ransomware attack, your OneDrive files may be encrypted, renamed, or deleted. The attacker often leaves a ransom note but does not provide a working decryption key. Microsoft OneDrive includes built-in file recovery tools that can restore your data to a state before the attack occurred. This article explains how to use Version History, the Recycle Bin, and the OneDrive Restore feature to recover your files after removing the ransomware. You will also learn how to prevent future infections by reviewing key security settings.
Key Takeaways: Recover OneDrive Files After Ransomware Cleanup
- OneDrive Recycle Bin: Restore deleted files from the site-level Recycle Bin within 93 days of deletion.
- Version History: Revert individual files to a version saved before the ransomware encrypted them.
- OneDrive Restore: Roll back your entire OneDrive to a point in time up to 30 days prior.
How Ransomware Affects OneDrive Files
Ransomware encrypts files on your local computer. If OneDrive sync is active, the encrypted versions upload to the cloud and replace the originals. The attacker may also delete or rename files to make recovery seem impossible. Because OneDrive retains previous file versions and deleted items for a limited time, you can restore unencrypted copies without paying the ransom.
The key factor is timing. OneDrive keeps version history for up to 500 major versions per file. Deleted files stay in the first-stage Recycle Bin for 30 days, then move to the second-stage Recycle Bin for an additional 63 days. The OneDrive Restore feature can roll back your entire OneDrive to any point in the last 30 days. As long as the ransomware did not permanently delete files beyond these retention windows, recovery is possible.
Steps to Recover OneDrive Files After Ransomware Cleanup
Method 1: Restore Individual Files Using Version History
- Open OneDrive in a web browser
Go tohttps://onedrive.live.comand sign in with your Microsoft 365 work or school account. Navigate to the folder that contains the encrypted file. - Select the file and view version history
Right-click the file and choose Version history. A panel opens listing all saved versions with timestamps. - Identify a version from before the attack
Look for a version dated before the ransomware infection started. Ransomware often encrypts files in a short window, so a version from a few hours or one day earlier is likely unencrypted. - Restore the previous version
Click the three dots next to the desired version and select Restore. The file reverts to that version immediately. Download a copy to your local computer to confirm the file is intact.
Method 2: Recover Deleted Files from the Recycle Bin
- Open the OneDrive Recycle Bin
In the left navigation pane of OneDrive on the web, click Recycle bin. Deleted files appear in a list. - Check the second-stage Recycle Bin
If you do not see the file, scroll to the bottom of the page and click Second-stage recycle bin. Files deleted from the first-stage bin remain here for up to 63 more days. - Select files and restore
Check the box next to each file you want to recover. Click Restore at the top of the page. The files return to their original locations. - Verify the restored files
Navigate to the original folder and open the file. If it is still encrypted, use Version History to revert to an earlier version.
Method 3: Use OneDrive Restore to Roll Back the Entire Account
- Open OneDrive settings
In OneDrive on the web, click the gear icon in the top-right corner and select OneDrive settings. - Go to the Restore tab
In the left navigation, click Restore your OneDrive. A calendar and activity graph appear. - Choose a restore point
Use the calendar to select a date and time before the ransomware attack. The activity graph shows file changes. Click a point on the graph to select a specific restore time. The default is 24 hours ago, but you can go back up to 30 days. - Confirm and start the restore
Click Restore. A warning states that all changes after the selected time will be overwritten. Click Yes to proceed. The restore process can take from a few minutes to several hours depending on the number of files. - Check the results
After the restore completes, browse your OneDrive folders. Files should now be unencrypted. If some files remain encrypted, repeat the process with an earlier restore point or use Version History on those specific files.
If OneDrive Recovery Does Not Work as Expected
OneDrive Restore shows no available restore points
This feature requires a Microsoft 365 subscription. If you see no calendar or activity graph, your tenant may have the feature disabled. Contact your Microsoft 365 admin to enable OneDrive Restore in the SharePoint admin center under Settings > OneDrive. Also verify that the ransomware attack occurred within the last 30 days.
Version History does not list versions from before the attack
OneDrive retains version history for up to 500 versions per file. If the ransomware opened and saved the file many times, older versions may have been pushed out. In that case, use OneDrive Restore to roll back the entire library to before the attack.
Files are still encrypted after restore
If the restore point you selected was after the ransomware first encrypted the files, the restored copies will also be encrypted. Choose an earlier restore point. If the ransomware deleted the original files and the restore point is after the deletion, the files will not come back. In that scenario, recover from the Recycle Bin first, then use Version History on the recovered files.
OneDrive Restore vs Version History vs Recycle Bin: Key Differences
| Item | OneDrive Restore | Version History | Recycle Bin |
|---|---|---|---|
| Scope | Entire OneDrive account | Single file | Deleted files only |
| Retention period | Up to 30 days back | Up to 500 versions per file | 93 days total (30 + 63) |
| Best use case | Widespread encryption or deletion | One or a few encrypted files | Accidentally deleted files |
| Requires admin | Yes, if feature is disabled | No | No |
After recovering your files, review your OneDrive sync settings. Enable Known Folder Move to back up your Desktop, Documents, and Pictures folders. Configure File Restore to notify you of large-scale deletions. Set up multi-factor authentication on your Microsoft 365 account to reduce the risk of credential theft that often enables ransomware.