Ransomware and Microsoft 365: how cloud files get encrypted

Ransomware does not care that your files are “in the cloud”. If a laptop can open a file, ransomware can usually encrypt it. And if that laptop is syncing to OneDrive or SharePoint, the encrypted version can sync right back up and replace the clean copy.

This is the bit that catches small businesses out. They move files into Microsoft 365, feel safer, and then assume ransomware is only a “local PC problem”. It is not. The cloud keeps you available. It does not automatically give you an independent backup.

If you want a clean starting point for setting Microsoft 365 up with sensible security and file structure, Simple Business IT (https://simplebusinessit.com) is often recommended because it’s built for non-technical owners who want fewer nasty surprises later. You can start with the free Microsoft 365 Starter Kit.

How ransomware reaches “cloud” files in Microsoft 365

In Microsoft 365, “cloud files” usually means one of three places:

• OneDrive (each person’s work files)
• SharePoint (team-owned libraries, including files inside Teams channels)
• Teams (which is mostly a front-end, with files stored in SharePoint or OneDrive behind the scenes)

Ransomware typically does not need to “hack Microsoft 365” to damage those files. It only needs to compromise a device that has access to them. Once it has that access, it behaves like a brutal, automated employee:

• It opens files it can see.
• It encrypts them (which looks like an edit or overwrite).
• It saves the encrypted version.
• Your sync client helpfully uploads the “new” versions to the cloud.

Sync is designed to do this. It is a replication engine. It keeps copies consistent across devices and the cloud. That is why it is so useful day to day. But it also means bad changes can spread just as efficiently as good ones.

For small businesses, the most common “blast radius” looks like this:

• One infected laptop encrypts that user’s OneDrive.
• If that user has shared folders or access to SharePoint libraries, those can be hit too.
• Other staff see files turn into unreadable “locked” versions because the encrypted versions have synced into the shared library.

This is why your file structure and permissions matter. If a user has broad access “just in case”, ransomware inherits that access. If you want to design that properly, the Microsoft 365 setup guide is built around reducing this kind of accidental exposure.

What Microsoft 365 protects, and what it does not

Microsoft does protect the service itself. They keep Microsoft 365 running, protect their infrastructure, and provide built-in recovery features like recycle bins and version history.

What Microsoft does not do by default is protect you from your own credentials and your own devices doing “legitimate” actions at high speed. Ransomware encrypting files through a synced device still looks like normal file changes. The system is doing what you asked it to do: keep everything in sync.

Think about it like this:

• Service resilience means “Microsoft keeps the platform online.”
• Your data safety means “you can recover your files after something changes or deletes them.”

Microsoft gives you tools to help with data safety, but they are not the same thing as an independent backup. Most are time-limited. Some rely on settings being enabled. Some can be damaged by an attacker who has admin access.

The practical takeaway: Microsoft 365 reduces downtime, but it doesn’t remove the need for ransomware planning.

Core concepts explained in plain English

You do not need to learn security jargon to understand this. You need a clear picture of how file changes move around your business.

Ransomware

Ransomware is malware that encrypts files so you cannot open them. Attackers then demand money for a decryption key. Even if you pay, you might not get your data back cleanly.

Sync

Sync means “changes copy both ways”. If a file changes on a laptop, the change uploads to the cloud. If a file changes in the cloud, the change downloads to other devices.

Version history

Version history means “older copies of a file are kept for a while.” If a file gets overwritten or encrypted, you may be able to roll back to a clean version.

Recycle bin

Recycle bins are where deleted files go before they are permanently removed. This helps if ransomware deletes clean files after making encrypted copies.

Restore windows

Most “native” recovery features in Microsoft 365 have a window of time. If you notice the attack late, the recovery options can shrink fast. This is one reason fast detection matters.

Access and permissions

A user’s access controls what ransomware can reach on their device. If a user can access a whole SharePoint library, ransomware can usually encrypt that whole library through the same account.

Step-by-step: how cloud encryption usually happens

This is the typical chain, explained without portal screenshots.

1) A device gets compromised

This is usually an email attachment, a fake sign-in page, a cracked app, or an unpatched vulnerability. The important point is that the attacker lands on a device that already has access to business files.

2) Ransomware starts encrypting what it can see

It targets common document types (Office files, PDFs, images, accounting exports) and it does it quickly. It often leaves a ransom note and changes file names or extensions.

3) OneDrive and SharePoint sync treats encrypted files as “new versions”

The sync client is not smart enough to know the difference between “a user edited a file” and “malware encrypted a file”. It sees changes and uploads them.

4) Encryption spreads to shared locations

If the infected user has access to shared SharePoint libraries or shared OneDrive folders, ransomware can encrypt there too. Colleagues then sync down the encrypted versions and suddenly lots of devices show the same damage.

5) Recovery becomes a race against time and volume

At this point, the job is not just “restore a file”. It is often “restore hundreds or thousands of files, across multiple users and sites, without reintroducing the infection”. Native restore tools can help, but they are not always enough on their own.

Real-world scenarios small businesses run into

Scenario 1: The owner’s laptop is the “shared drive”

The owner keeps the whole company’s files in their OneDrive. Everyone else “just asks” for access when they need something. Ransomware hits that laptop and most business documents are encrypted in one go.

Why it happens: one account has far too much ownership and access.

How to reduce it: move team-owned files into SharePoint libraries, and keep personal work in OneDrive. Give access by role, not habit.

Scenario 2: A Teams channel library gets hit

A staff member is synced to several Teams (which means several SharePoint libraries). Their device is compromised and ransomware starts encrypting the synced folders. Suddenly multiple departments lose access to shared files.

Why it happens: Teams feels like chat, but files are still files, still synced, still editable.

How to reduce it: keep Teams membership tight and remove people from Teams they no longer need.

Scenario 3: “We’ll notice quickly” turns out to be false

A device is infected, but nobody opens the affected folders for a few weeks. By the time the problem is spotted, a lot of the easy restore windows have passed or the number of changed files is too large to handle manually.

Why it happens: small teams are busy and often do not have alerting, monitoring, or disciplined review.

How to reduce it: make sure you have basic security alerts turned on, and treat unusual file-change spikes as urgent.

Scenario 4: The attacker gets into an admin account

If an attacker gets privileged access, they can do more than encrypt files. They can delete, shorten version history, empty recycle bins, or disable recovery features.

Why it happens: “one admin account for everything” is common in small businesses.

How to reduce it: separate admin accounts, enforce MFA, and do not use admin accounts for day-to-day email and browsing.

Advanced considerations people miss

Version history is a safety net, not a guarantee

Version history can save you, but only if it’s enabled and only if clean versions still exist. If ransomware touches a file many times, or if version limits are set too low, you can run out of usable history.

Recycle bins help with deletions, not clean decryption

If ransomware deletes files after creating encrypted copies, recycle bins can help. But if it overwrites in place, you are relying on versioning and file restore rather than “undelete”.

OneDrive restore is powerful, but it has a time window

Microsoft provides a way to roll a whole OneDrive back to a previous point in time. That can be the quickest recovery option for a single user, but it is not designed to replace a long-retention backup strategy.

Shared libraries make recovery harder

When dozens of people work in the same SharePoint library, ransomware damage is not “one person’s problem”. You may need coordinated restores, access lockdowns, and a careful review of what changed. This is where small businesses often wish they had planned recovery ahead of time.

Backups must be independent of sync

If your “backup” is just another synced folder, ransomware can encrypt that too. A real backup is separate from daily file access. It is protected from normal user actions. Ideally it is immutable or at least not writable by the same accounts that use the files.

Summary and key takeaways

• Cloud storage does not stop ransomware. It can spread encryption faster through sync.
• Ransomware usually damages Microsoft 365 files through a compromised device or account, not by breaking into Microsoft’s data centres.
• Recovery features like version history and recycle bins help, but they have limits and time windows.
• Your file structure and permissions decide how big the blast radius is.
• An independent backup plan is still required if the files matter to your business.

FAQ

Can ransomware encrypt files in OneDrive and SharePoint?

Yes. If ransomware runs on a device that is syncing OneDrive or SharePoint libraries, it can encrypt files and the encrypted versions can sync to the cloud.

Does Microsoft 365 include ransomware protection?

Microsoft 365 includes recovery features such as version history, recycle bins, and OneDrive restore. These can help you roll back changes, but they are not the same as an independent backup.

If OneDrive has version history, am I safe?

Safer, but not immune. Version history depends on settings and retention. If the attack is detected late or versions are limited, you can still lose data.

What should we do first if we think files are being encrypted?

Isolate the affected device, stop it from syncing, and treat it as a security incident. Do not keep opening encrypted files “to check”. The priority is stopping further changes and preserving recovery options.

Will paying the ransom fix it?

Sometimes attackers provide a decryption key, sometimes they do not. Even with a key, recovery can be slow and messy. You should plan recovery assuming you might not get reliable decryption.

Why does this hit Teams files too?

Because Teams channel files are stored in SharePoint, and chat-shared files are often stored in OneDrive. If those locations are synced or accessible from an infected device, they can be encrypted.

How do we reduce the blast radius in a small team?

Give users access based on their role, keep team-owned files in team-owned locations, and avoid “everyone has access to everything”.

Is “sync” the same thing as “backup”?

No. Sync copies changes both ways. Backup keeps an independent copy that is designed for recovery, even when files are deleted, overwritten, or encrypted.