Table of Contents
About OneDrive Ransomware
A Cybersecurity Researcher from Safe Breach was able to leverage OneDrive in his favor, essentially turning it into Ransomware. The Research's (Or Yair) journey was motivated by the desire to unveil novel ransomware attack vectors and understand how they might exploit trusted programs and services. This investigation ultimately revealed a sophisticated ransomware attack flow, utilizing OneDrive as an undetectable double agent to encrypt files and disable recovery features, presenting substantial challenges for cybersecurity professionals and organizations.
What version of OneDrive is Vulnerable?
OneDrive client versions 23.061.0319.0003, 23.101.0514.0001, and later are vulnerable to this attack. After further investigation by the ThreatLocker Cybersecurity Research team, they have replicated it on the latest version of OneDrive.
How does the Attack work?
The DoubleDrive attack leverages vulnerabilities in Microsoft OneDrive's synchronization and file management processes. It primarily targets personal OneDrive accounts and takes advantage of the synchronization behavior. When a victim's machine is automated to sync its local files with OneDrive, DoubleDrive manipulates this synchronization process. It creates a junction between the victim's local directory and the corresponding OneDrive directory, effectively deleting the original local files. Once these files duplicate to OneDrive, DoubleDrive encrypts them, rendering them inaccessible. This attack demonstrates a potential security weakness where files outside the OneDrive sync folder are still vulnerable, even when stored on a cloud service. It highlights the importance of proper configuration and security measures in cloud-based file synchronization to mitigate such threats.
See How the Exploit Works
In this replication we demonstrate step by step how an attacker can manipulate OneDrive to delete backups and encrypt your files within minutes.
Demonstration Timestamps:
00:00:19 – Setting the configurations for the malicious Python script.
00:00:35 – Using PyInstaller to generate an executable binary (.exe)
00:01:20 – Demonstrating that the machine has Windows Defender’s capabilities fully enabled.
00:02:14 – Copying the malicious binary to the victim's machine.
00:02:31 – Execution of the malicious binary.
00:02:58 – Initiating the secondary phase: remotely executing the ransomware capabilities.
00:03:18 – Synchronization and Deletion of the victims’ files.
00:03:31 – The victim's files are encrypted and inaccessible.
How ThreatLocker Can Stop This OneDrive Ransomware!
ThreatLocker customers with Application Allowlisting remain protected from unauthorized applications, such as the malicious binary presented in the video. Ringfencing™ also plays a vital role as it effectively prevents this attack by blocking CMD from the Internet.