DoubleDrive: Double Agents Hide Behind The Clouds

Ransomware attacks have become one of the main cybersecurity risks. More than 200 ransomware families have been used in the wild. Most of them are fairly similar. EDRs can prevent most of them generically with decoy file traps, monitoring for mass file operation, or ransomware file extensions.

But what if we tell you there’s a way to encrypt your sensitive data without encrypting a single file on your endpoints? What if at the time of encryption, adversaries do not even need to execute code? What if not a single malicious executable from the adversary needs to be present on endpoints while files are encrypted?

We proved all of this is possible. We recruited two double-agents that you all know and trust called OneDrive and Google Drive. Your shelters against ransomware can be operated as ransomware. These double-agents have managed to gain so much trust that they can encrypt all of your local files in almost any directory without any of the tested EDRs detecting or stopping them. Some EDRs even trust one of them to execute malicious code.

In this talk, we will present DoubleDrive, a fully undetectable cloud-based ransomware, different from all public ransomwares seen so far. We will first present how it uses Google Drive to encrypt local files outside of the mirrored local drive. Then, we will move on to show the bigger obstacles we ran into with OneDrive and how we managed to bypass them all. DoubleDrive bypasses decoy file detection, Microsoft’s Controlled Folder Access, ransomware file extension detection and OneDrive’s ransomware detection. It also successfully wipes OneDrive files’ 500 previous versions and empties OneDrive’s recycle bin, making OneDrive’s ransomware recovery impossible. It can run with any privileges, no encryption is done on the computer itself, and all by operating our double-agents OneDrive & Google Drive.