Share via

Wanna cry destroyed our server

Wang Jun Kai 20 Reputation points
2026-04-17T03:36:24.4366667+00:00

Our SharePoint server was hit by a WannaCry ransomware attack, and we’ve reached a point where we’re running out of options. We engaged our partner for support, but they’ve come back indicating that even Microsoft has no viable recovery path at this stage, and the data is considered lost.

I’m posting here as a last resort to see if anyone has encountered a similar scenario or has any potential workaround no matter how unlikely that could help with data recovery.

We’ve already rebuilt/reset the server environment, but unfortunately the data itself is gone.

1000008852

Thank you

Microsoft 365 and Office | SharePoint Server | For business
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

  2. Steven-N 25,305 Reputation points Microsoft External Staff Moderator
    2026-04-17T04:11:21.36+00:00

    Hi Wang Jun Kai

    I’m really sorry to hear about the challenges you've faced with the WannaCry incident on your server. We understand how frustrating this situation can be, especially when it comes to the impact on your business.

    As Microsoft has confirmed, unfortunately, recovery from the WannaCry attack may not be possible for some systems, especially if the proper patches or protections were not in place at the time. Microsoft has provided clear recommendations for mitigating such risks in the future, such as ensuring timely updates and using advanced security measures like network segmentation and regular backups.

    As Microsoft Learn is peer-to-peer support forum, we are here to offer guidance and share experiences, but please note that we, as moderators, don't have the ability to restore lost data or systems.

    That said, I’ll keep this thread open, in case another user might have some insights or suggestions that could help. In the meantime, I encourage you to follow the advice provided by Microsoft and consider reaching out to their support channels for further assistance.

    Again, we’re really sorry that you’re dealing with this, and we hope you can get things back on track soon.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Was this answer helpful?

    0 comments

  3. AI answer

    2026-04-17T03:36:41.7433333+00:00

    Given the description, there is no additional Microsoft-supported recovery method beyond what has already been attempted. When ransomware like WannaCry has encrypted or corrupted the only available copies of the data, and restores from backups also result in corrupted files, the data is effectively unrecoverable from Microsoft’s perspective.

    For future resilience in similar scenarios, the following practices are recommended:

    1. Implement robust, point-in-time backups
      • Maintain offline or immutable backups so that ransomware cannot encrypt or corrupt them.
      • For Microsoft 365 workloads, evaluate solutions such as Microsoft 365 Backup or partner solutions built on Microsoft 365 Backup Storage, which are designed for fast, bulk recovery to a healthy pre-attack point in time.
    2. Use SharePoint/OneDrive built-in recovery features (for cloud workloads)
      • Ensure versioning is enabled so that if ransomware encrypts files in place, earlier versions can be restored.
      • Use the recycle bin and site collection recycle bin to recover deleted content within the retention window; Microsoft can restore from metadata backups for a limited time after that.
    3. Prepare and validate a ransomware backup/restore plan
      • Move user data to cloud services like OneDrive and SharePoint to leverage version history and recycle bin capabilities, and educate users on self-service recovery.
      • Regularly validate backups by performing test restores and scanning them for malware before relying on them in an incident.
    4. During any future attack
      • Engage incident response support early (for example, Microsoft Incident Response or a qualified partner) to help contain the attack and guide recovery.
      • Identify a safe, known-good point-in-time backup image and restore only after the environment has been cleaned and secured.

    In the current case, if all backups and restored copies are already corrupted and Microsoft has confirmed no further recovery path, there is no supported workaround to reconstruct the lost SharePoint data. Focus should shift to rebuilding content from any external sources (exports, user copies, archives) and hardening backup and security posture to prevent recurrence.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.