Microsoft OneDrive a willing and eager 'ransomware double agent'

No one will suspect such a trustworthy executable

Black Hat There's a rather serious ransomware vulnerability in Microsoft's desktop operating system, according to research out this week. It's nigh undetectable, uses a fully legitimate workflow to encrypt files, and comes pre-installed on all new Windows systems: OneDrive.

As per the findings presented by SafeBreach security researcher Or Yair today at Black Hat, OneDrive was a ready and willing double agent he was able to turn against the systems it's designed to sync cloud storage for, and ostensibly protect.

"Microsoft describes OneDrive as a shelter against ransomware," Yair told The Register. "OneDrive is used for ransomware data recovery, and Microsoft even recommends that users store important files in OneDrive because they're better protected in the cloud."

Yet as Yair demonstrated during his talk, a series of mistakes by both Microsoft and third-party vendors have shown OneDrive to be an easily tricked piece of software eager to encrypt anything it can get a junction to. 

They left session tokens where?

OneDrive, for those unfamiliar with it, is both Microsoft's cloud storage service and the locally running application installed on Windows devices to synchronize files between a OneDrive directory on said machine and Microsoft's remote servers. 

The first thing one would do in order to turn OneDrive into a double agent, then, would be to hijack someone's account – a task Yair said was relatively easy once he managed to achieve an initial compromise of a Windows machine.

OneDrive, it turns out, stores all of its log files in a directory for the signed-in user. Those logs, in turn, contain session tokens that Yair said he was able to pull out of the log file once he snagged a copy and parsed it. With the stolen token, Yair was able to get to work.

Getting out of OneDrive's own directories was simple enough – Yair said that while symbolic links can only be created by an administrator (which Yair wasn't operating as during his tests), junctions can be created by anyone, but can only point to a directory, not a specific file. 

"Once we create junctions to areas outside of OneDrive's own directory we achieve a situation where it can create, modify or delete files on a local machine," Yair said. 

OneDrive includes features that prevent ransomware from destroying backups by ensuring there are shadow copies of files that can be restored in case of an attack, though Yair says he was able to subvert those features too, with the OneDrive app for Android being the weak point in that instance.

An API used by the app is different from other OneDrive apps, and those differences allowed Yair to delete the original copies of files that he'd encrypted in such a way that they were unrecoverable, leaving the victim with nothing but encrypted backups of encrypted files.

EDR can't save you here

The first response one may have to such a ransomware threat – that a legitimate application would suddenly go rogue and begin encrypting files all over a device – is an understandable one: let endpoint detection and response software handle it. 

About that …

EDR software, Yair said, should detect such activity, especially the deletion of shadow copies, though software from several major enterprise vendors failed to spot the OneDrive spy in their midst. CyberReason doesn't detect the vandalism, neither does Microsoft Defender for Endpoint, CrowdStrike Falcon, or Palo Alto Cortex XDR, it was claimed. 

SentinelOne's software did catch it, and raised a flag about the possibility of a ransomware attack. Unfortunately, it still didn't stop shadow copies from being deleted because the local OneDrive executable is on an allow list.

Because it's a trusted application in multiple EDRs, OneDrive doesn't trip alarms when it alters decoy files, is using known and trusted file extensions for encrypted files, and is allowed to take action in otherwise restricted folders. Since there's no actual malware installed on the target machine, there's no static signature to detect, either. 

So, if an attacker can manage to hijack a Windows workstation, they could feasibly encrypt a good portion of the machine using a legitimate piece of software. Is there any way to defend against such attacks? 

Microsoft, at least, has released a fix to address the problem Yair found, we're told, while Crowdstrike, CyberReason and Palo Alto all patched their EDRs. 

Otherwise, it's up to applications to stop trusting other processes by default – even if they are created by Microsoft, Yair told us. "If there's no other option, then security vendors need to understand whether an attacker could gain control over processes [like OneDrive], how to detect it and stop it before it happens." ®

More about


Send us news

Other stories you might like