OneDrive recognizes the crypted files as RansomWare with new Vault7


I’ve been doing some tests with the new Vault7 version and uploaded lots of files to Microsoft OneDrive. I constantly get automated mails from them that the files I’ve uploaded are possibly due to RansomWare as they look encrypted. Here’s the mail text in German though:

Anzeichen von Ransomware erkannt.


Office365 verfügt über branchenführende Datenschutztechnologie, die nach Cyberangriffen auf Ihre Dateien Ausschau hält. Ihr OneDrive-Konto hat vor Kurzem begonnen, Anzeichen für verdächtige Aktivitäten zu zeigen. Wir haben 133 Dateien gefunden, die von einem Ransomware-Angriff betroffen zu sein scheinen.

Ransomware ist eine Art bösartiger Software, die darauf ausgelegt ist, den Zugriff auf Ihre Dateien so lange zu blockieren, bis Sie Geld bezahlen.

Besuchen Sie binnen 30 Tagen nach dem Angriff, um:

  • Verdächtige Dateien zu überprüfen und zu bestätigen, dass sie kompromittiert wurden
  • Ransomware von Ihren Geräten zu entfernen
  • Ihre Dateien auf OneDrive wiederherzustellen

Sie können Ihre Dateien auf OneDrive nur 30 Tage lang ab deren Kompromittierung wiederherstellen. Wenn Sie die kompromittierten Dateien nicht innerhalb von 30 Tagen ab dem Ransomware-Angriff wiederherstellen, können sie nicht mehr wiederhergestellt werden.

You then have to click a link and confirm that the files are not affected by RansomWare. This is very boring and I think that some official from Cryptomator needs to contact Microsoft accordingly as this is a false positive.

Best regards,

1 Like

Thanks for letting us know!

Actually, another user already reported this on our bug tracker:

We can contact Microsoft about this problem, but i don’t think they would do anything. Because by the nature of Cryptomator and Ransomware, both encrypt your files causing the file content to be some garbeld bytesequence. You cannot really differentiate between these two (otherwise the encryption would be faulty).

1 Like

I assume that MS is learning that .c9r files have a high shannon entropy. However at the moment their database is still containing too few samples leading to low significance, which is why they choose to show a warning.

That is, if they have a database for typical entropy scores at all. :crossed_fingers:

I use OneDrive and I am getting this Ransomware recognition message all the time even if I add say 70 new files. I thought Ransomware encrypts existing files and not add new files and I am adding new encrypted files so it seems strange that OneDrive detects a ransomware attack. Of course better to be overly sensitive and cautious and detect attempted Ransomware attempts then not detecting anything.

But it is getting annoying that I have to log in to OneDrive an go through the process to get my account working again especially when I only upload 50-70 files (not many really).

Is there any workaround for this? I guess not not but maybe some idea?

I am still wondering what rules OneDrive uses to make this classification. I use OneDrive4Business very excessively and for years now with Cryptomator, and never had this message.

There are many formats, not only encrypted but also compressed file formats with an entropy as high that it is basically undistinguishable from random data.

As zip files don’t get blocked, I’m pretty sure MS has an internal table with all the different file extensions and their usual shannon entropy.

Either this table is self-learning, then the problem will vanish once enough users have uploaded .c9r files and OneDrive has learned that this is an encrypted format, or users complain to MS about this fact.

If you want a fast solution, the latter might be the best option right now. :wink:

It just started happening recently with 1.5 update.

I think it is good if Microsoft gets feedback from as many Cryptomator users as possible. By the way, just after I clicked on the point in OneDrive that everything is ok, I got a mail from Microsoft regarding my ransomware experience with the recovery. At this point we could give Microsoft some initial feedback :wink:

Don’t know if this is new, but I just noticed that OneDrive seems to identify cryptomator files now correctly as encrypted vault files.
That should eliminate the sometimes upcoming false positive ransome-attack messages from OneDrive.


Cryptomator 1.6.3, Windows 10, OneDrive Personal.

Not for me. Uploaded 30 files today and OneDrive warned me about potential ransomware and invited me kindly to go through the steps to accept my files :slight_smile:

I don’t know if Microsoft is working on the problem. I too get the notice. But there are no files listed as ransomware. Be safe and have a recent backup of all your unencrypted files until this gets resolved. So far none of my files have been deleted by OneDrive.