Appearance
DoubleDrive
A fully-undetectable ransomware that utilizes Cloud Drive Services to encrypt target files. Presented at Black Hat USA 2023 Briefing under the title - One Drive, Double Agent: Clouded OneDrive Turns Sides
DoubleDrive Python Package
(Tested only on python version 3.11.4)
Implements most of the logic and tools that a DoubleDrive variant needs. In order to create a DoubleDrive variant for a certain cloud storage service, the creator must create 2 different executables using this library's tools:
- An endpoint takeover executable, implements:
- Undetectable legitimate logic that syncs local target paths from the target computer to the cloud storage service using a built-in feature of the local cloud storage app
- Exfiltration of the stolen authentication information so the target local paths become accessible from the cloud storage service API
- A DoubleDrive ransomware executable, implements:
- Collection of the exfiltrated authentication information that was sent by the endpoint takeover executable
- Encryption of all target files by sending API requests to the cloud storage service
Specific Cloud Storage Services Implementations of DoubleDrive:
OneDrive
Go into ./onedrive_doubledrive for the specific OneDrive variant. You can read how to use it here: OneDrive DoubleDrive README
Google Drive
Go into ./google_drive_doubledrive for the specific Google Drive variant. You can read how to use it here: Google Drive DoubleDrive README
Author - Or Yair
- LinkedIn - Or Yair
- Twitter - @oryair1999