dEEpEst
☣☣ In The Depths ☣☣
Staff member
Administrator
Super Moderator
Hacker
Specter
Crawler
Shadow
- Joined
- Mar 29, 2018
- Messages
- 13,860
- Solutions
- 4
- Reputation
- 27
- Reaction score
- 45,546
- Points
- 1,813
- Credits
- 55,090
7 Years of Service
56%
A fully-undetectable ransomware that utilizes OneDrive & Google Drive to encrypt target local files
Over the last 10 years, ransomware attacks have become the main cybersecurity risk. More than 200 different ransomware families have been used in the wild. Most of them are fairly similar. EDRs can prevent most of them generically with decoy file traps, monitoring for processes that modify many files, or by monitoring common pre-encryption actions such as shadow copy deletion.
But what if we tell you there's a way to encrypt all of your sensitive data without encrypting a single file on your endpoints? What if adversaries can encrypt files, while they are not even executing code on endpoints? What if not a single malicious executable from the adversary needs to be present on endpoints while files are encrypted?
We proved that all of this is possible. For the last decade, a built-in double-agent named OneDrive has been on all of our computers. Microsoft's shelter-from-ransomware can be operated as ransomware. This double-agent has managed to gain so much trust that it can encrypt all of your local files in almost any directory without any of the tested EDRs detecting or stopping it. Not even the ones that implement AI / ML approaches. Some EDRs even trust it to execute malicious code.
In this talk, we will present DoubleDrive, a fully undetectable cloud-based ransomware, different from all other public ransomwares seen so far. It uses OneDrive to encrypt local files outside of OneDrive's directory. It bypasses decoy file detection, Microsoft's Controlled Folder Access and OneDrive's ransomware detection. While monitored by some EDRs, it can execute common malicious actions including shadow copy deletion. It successfully wipes OneDrive files' 500 previous versions and empties OneDrive's recycle bin, making file recovery impossible. It can run with any privileges, no encryption is done on the computer itself, and all by operating our double-agent OneDrive.
Over the last 10 years, ransomware attacks have become the main cybersecurity risk. More than 200 different ransomware families have been used in the wild. Most of them are fairly similar. EDRs can prevent most of them generically with decoy file traps, monitoring for processes that modify many files, or by monitoring common pre-encryption actions such as shadow copy deletion.
But what if we tell you there's a way to encrypt all of your sensitive data without encrypting a single file on your endpoints? What if adversaries can encrypt files, while they are not even executing code on endpoints? What if not a single malicious executable from the adversary needs to be present on endpoints while files are encrypted?
We proved that all of this is possible. For the last decade, a built-in double-agent named OneDrive has been on all of our computers. Microsoft's shelter-from-ransomware can be operated as ransomware. This double-agent has managed to gain so much trust that it can encrypt all of your local files in almost any directory without any of the tested EDRs detecting or stopping it. Not even the ones that implement AI / ML approaches. Some EDRs even trust it to execute malicious code.
In this talk, we will present DoubleDrive, a fully undetectable cloud-based ransomware, different from all other public ransomwares seen so far. It uses OneDrive to encrypt local files outside of OneDrive's directory. It bypasses decoy file detection, Microsoft's Controlled Folder Access and OneDrive's ransomware detection. While monitored by some EDRs, it can execute common malicious actions including shadow copy deletion. It successfully wipes OneDrive files' 500 previous versions and empties OneDrive's recycle bin, making file recovery impossible. It can run with any privileges, no encryption is done on the computer itself, and all by operating our double-agent OneDrive.
Presentation Material
Last edited: