Recover your files from Ransomware infections For Microsoft Office files stored, synced, or backed up to OneDrive
- OneDrive creates a version of Microsoft Office files when you save or change the file as part of its security features.
- To see if there are older versions of your file, go to OneDrive on the web. Right-click on a file you want to restore and click Version history.
- OneDrive for Business customers should see the Manage document versions help article on the Office help site.
Recover your files from Ransomware infections For files on your PC
- You need to have turned on File History (in Windows 10 and Windows 8.1) or System Protection for previous versions (in Windows 7 and Windows Vista) before you were infected. In some cases, these might have been turned on already by your PC manufacturer or network administrator.
- Some ransomware will also encrypt or delete the backup versions of your files. This means that even if you have enabled File History if you have set the backup location to be a network or local drive your backups might also be encrypted. Backups on a removable drive, or a drive that wasn’t connected when you were infected with the ransomware, might still work.
- See the Windows Repair and recovery site for help on how to enable file recovery for your version of Windows.
If you’ve been infected by the Crilock family of ransomware (also called CryptoLocker), you might be able to use the tool mentioned in the MMPC blog:
- FireEye and Fox-IT tool can help recover Crilock-encrypted files.
What should I do if I’ve paid?
- In Australia, go to the SCAMwatch website
- In Canada, go to the Canadian Anti-Fraud Centre
- In France, go to the Agence Nationale de la sécurité des systèmes information website
- In Germany, go to the Bundesamt für Sicherheit in der Informationstechnik website
- In Ireland, go to the A Garda Síochána website
- In New Zealand, go to the Consumer Affairs Scams website
- In the United Kingdom, go to the Action Fraud website
- In the United States, go to the On Guard Online website
If your country or region isn’t listed here, we encourage you to contact your country’s federal police or communications authority. For general information on what to do if you have paid, see:
- What to do if you are a victim of fraud