OneDrive considers encrypted files as ransomware

What is the problem you are having with rclone?

I was starting to use the encryption option in combination with rclone, and Onedrive promply responded with an email that they found signs of ransomware on my account. Encrypted files surely look like that to Onedrive, but how do I tell them it is not? They say that after 30 days they will delete my data if no action is taken. Anybody had this problem that far?

Run the command 'rclone version' and share the full output of the command.

rclone v1.65.1

  • os/version: ubuntu 22.04 (64 bit)
  • os/kernel: 5.15.0-94-generic (aarch64)
  • os/type: linux
  • os/arch: arm64 (ARMv8 compatible)
  • go/version: go1.21.5
  • go/linking: static
  • go/tags: none

Which cloud storage system are you using? (eg Google Drive)


The command you were trying to run (eg rclone copy /tmp remote:tmp)

rclone copy $BACKUP_DIR/$MONTHLY_BACKUP cryptOne:backup-de/db/$MONTHLY_BACKUP

Please run 'rclone config redacted' and share the full output. If you get command not found, please make sure to update rclone.

type = sftp
host = XXX
user = XXX
port = 23
key_file = /root/.ssh/id_rsa
shell_type = unix

type = crypt
remote = one:backup-de/crypt
filename_encryption = obfuscate
directory_name_encryption = false
password = XXX
password2 = XXX

type = onedrive
token = XXX
drive_id = XXX
drive_type = personal
1 Like

Isn't there any option in that email to respond to say it's not ransomware and all is ok?

I store rclone-encrypted data on more than one OneDrive account, some of them for many many years, and I have never had such an email; that said, it might be something new they are doing so maybe I will start receiving them too :grimacing:

EDIT: Have you set rclone to encrypt filenames and directory names? It could be OneDrive is seeing normally-named files that are encrypted and that is triggering some sort of alert.

1 Like

Yeah it is normal. I see this with every new onedrive account.

Ignore. 30 days is about your thrash where you can recover data from if it was really ransomware.

From my experience I receive such email only once per account - then they do not bother me any more.

This is exact email wording:

Microsoft 365 has industry-leading data protection technology which looks out for cyber attacks on your files. Your OneDrive account recently started showing signs of suspicious activity. We found 48 files that appear to be compromised by a ransomware attack.

Ransomware is a type of malicious software designed to block access to your files until you pay money.

Visit within 30 days of the attack to:
Review suspicious files and confirm they have been compromised
Remove ransomware from your devices
Restore your files on OneDrive
You can restore your files on OneDrive for only 30 days after they were compromised. If you don't restore the compromised files within 30 days from the ransomware attack, the files won't be recoverable.

1 Like

More than once on my case. Using Cryptomator by example. I just ignore the messages.

Thanks, that is reassuring that there will be no negative consequences as a result.

1 Like

No problem!

Ramsonware encrypts files without the user's knowledge. Restic and other programs that encrypt information with the user's knowledge achieve the same result: unreadable folder and file names. I suppose that the Onedrive algorithm does not recognize the difference and just in case it warns you.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.