LAS VEGAS — Microsoft's OneDrive file-sharing program can be used as ransomware to encrypt most of the files on a target machine without possibility of recovery, partly because the program is inherently trusted by Windows and endpoint detection and response programs (EDRs).
"What if I told you that there is a way to encrypt all of your sensitive data, all of your user files, without actually encrypting a single file on your computer?" SafeBreach's Or Yair asked the audience during his presentation at the Black Hat security conference here last on Aug. 10. "And what if I can do that while I'm not even executing code on your computer? And what if I told you that not even a single malicious executable needs to be present on your computer while I do that?"
Microsoft has patched OneDrive so that this attack no longer works on OneDrive client versions 23.061.0319.0003, 23.101.0514.0001 and later. Yair has packaged his OneDrive attack process into an automated tool called DoubleDrive, which works on older version of OneDrive and is available on GitHub at https://github.com/SafeBreach-Labs/DoubleDrive.
Cloud-syncing programs can make for good ransomware
"When I started this research, I wanted to create a fully undetectable-by-design ransomware," Yair explained. "I figured I needed a double-agent program."
Local agents from cloud-storage and syncing services such as Dropbox, Google Drive or iCloud would be good candidates, he said. Files could be encrypted in the cloud, which would then be mirrored on the targeted machine.
"They synchronize files on the machine with those online, and they're mass drive applications by default," Yair added.
None of those were as promising as OneDrive, which has been automatically installed on Windows since 2013 and is touted by Microsoft as a ransomware fail-safe.
"For Microsoft, OneDrive is that shelter against ransomware," Yair said. "It recommends storing your important files on OneDrive."
Taking over a OneDrive account
However, to attack a target machine, he explained, you first need to get into the targeted user's OneDrive account. This was easier than Yair expected.
"OneDrive was so helpful that it just wrote its access token in its logs," he said. "The logs aren't immediately readable, but they can be deciphered using a program found on GitHub that will reveal the access token."
It also turns out that any process running with the current user's permissions can access the user's OneDrive account. Yair managed to exfiltrate the access token by uploading it to the targeted user's OneDrive account, then using OneDrive's Share File feature to email it to himself. (One catch is that the attacker needs to have a valid Microsoft account too.)
"Anyway, we've gained access to the victim's OneDrive account," Yair said. "That lets us create a no-code ransomware that doesn't even run on the victim's computer."
But what about all the files that aren't in the victim's OneDrive folder? How would you encrypt those?
Yair explained that OneDrive lets you create symbolic links called "junctions" inside the OneDrive folder that link to files outside the folder. Files outside the folder can also be synced and encrypted.
Getting rid of the version archives and shadow copies
Encrypting as many personal files as possible isn't the end of the story. By default, Yair said, OneDrive keeps at minimum 500 previous versions of every file it has handled — even those that have been moved to the Recycle Bin. That feature is there so that victims of ransomware can quickly recover files.
To make recovery much more difficult, Yair said, he had to move all the encrypted files in OneDrive into the Recycle Bin, empty the Recycle Bin, and then recreate the encrypted files in OneDrive. That wasn't possible with OneDrive on Windows, Yair found — but he was able to pull it off using the OneDrive Android client.
That procedure makes file recovery from OneDrive impossible. However, Yair had to contend with yet another anti-ransomware mechanism, this one on the target machine itself: shadow copies. If there's room on the drive, Windows automatically makes hidden copies of each file to aid in ransomware recovery.
Yair found that he could leverage Microsoft SharePoint to gain control of the victim's storage drive and delete shadow copies in the command line. The victim has to be an administrator for this to work, but Yair got around this by exploiting user access controls.
There was one more catch, and it was not completely surmountable. Most EDR programs, including Microsoft Defender for Endpoint, prevent deletion of shadow copies for obvious reasons.
However, Yair said he found two that didn't. Cybereason's protection against shadow-copy deletion could be switched off, and Yair was able to fiddle with SentinelOne's EDR so that it permitted shadow-copy deletion as well.
The victim likely won't know that all of this is happening until it's too late.
"OneDrive even is supposed to have ransomware detection built-in, but I got no notification for my own [OneDrive-based] ransomwware," Yair said. "Also, you can just turn off OneDrive's ransomware-detection setting."
He ran a very impressive demonstration, first manually locating and extracting the OneDrive access token on a target virtual machine. Yair then used his automated DoubleDrive tool to encrypt all the files on the target machine's OneDrive folder, empty the cloud folder, empty the Recycle Bin and delete shadow copies so all the victim had left were the encrypted files on the target machine.
Naturally, this got a round of applause from the Black Hat audience.
"The takeaways are that absolutely no process should be inherently trusted," Yair said. "We should also prepare for more next-gen ransomware like this, and we should invest more in separating access features and security features."
Most of the EDR solutions that Yair contacted about shadow-copy deletion updated their software, he said, although there were a few that didn't respond. He also said that while the OneDrive client has been patched, some of the other techniques he used are still possible in Windows.
The very detailed slides for Yair's Black Hat presentation can be viewed at https://i.blackhat.com/BH-US-23/Presentations/US-23-Yair-One-Drive-Double-Agent-Clouded-OneDrive-Turns-Sides.pdf.