How to handle CTB Locker virus on O365

A customer had some libraries synced from SharePoint in Office365 to the local computer, and unfortunately clicked a link in a mail that contained the virus (or malware or whatever its called) CTB Locker which “encrypted” all the files in the synced library. The files could not be opened, two files called “How to decrypt the files” were added into the library, the file icon got the unassociated look and the computer name was added at the end of the file:


Anyway, the files were unusable, and also the version history was erased so there was no way to restore the former version. So, I created a Service Request in the Office365 Admin console and got contacted by a Microsoft technician (well, I had to call them 3 times before they called me actually). He took over my session and confirmed the virus, they are working on this at Microsoft to protect synced files so virus cannot get into SharePoint in this way. He said that instead of doing a restore of the libraries or sites, we could just download the files – rename them – and then upload them back into the library again. Tried to rename a downloaded file and opened it, and that worked without issues.

I think Microsoft handled and supported this really well and fast.

When will people learn not to click on attachments from mail senders that are unknown, or files that looks suspicious? I NEVER open anything that I am not sure of, I mean we must have learned something from the years when virus was a big thing 🙂

0 0 votes
Rate this article!
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

1 Comment
oldest most voted
Inline Feedbacks
View all comments
CTB Virus

I often find CTB Locker O365 virus on my computer, thanks for sharing.