Skip to content

DoubleDrive

A fully-undetectable ransomware that utilizes Cloud Drive Services to encrypt target files. Presented at Black Hat USA 2023 Briefing under the title - One Drive, Double Agent: Clouded OneDrive Turns Sides

DoubleDrive Python Package

(Tested only on python version 3.11.4)

Implements most of the logic and tools that a DoubleDrive variant needs. In order to create a DoubleDrive variant for a certain cloud storage service, the creator must create 2 different executables using this library's tools:

  • An endpoint takeover executable, implements:
    • Undetectable legitimate logic that syncs local target paths from the target computer to the cloud storage service using a built-in feature of the local cloud storage app
    • Exfiltration of the stolen authentication information so the target local paths become accessible from the cloud storage service API
  • A DoubleDrive ransomware executable, implements:
    • Collection of the exfiltrated authentication information that was sent by the endpoint takeover executable
    • Encryption of all target files by sending API requests to the cloud storage service

Specific Cloud Storage Services Implementations of DoubleDrive:

OneDrive

Go into ./onedrive_doubledrive for the specific OneDrive variant. You can read how to use it here: OneDrive DoubleDrive README

Google Drive

Go into ./google_drive_doubledrive for the specific Google Drive variant. You can read how to use it here: Google Drive DoubleDrive README

Author - Or Yair

DoubleDrive has loaded