The initial step to turn OneDrive into a ransomware double agent involved stealing someone’s account, a task that Yair found surprisingly easy once he had successfully infiltrated a Windows PC.
What Yair discovered was that OneDrive stores its log files in a specific directory linked to the logged-in user. Within these logs were session tokens that Yair claimed to extract after obtaining a copy and parsing the log file. These stolen tokens provided the starting point for Yair’s actions.
Moving beyond OneDrive’s designated directories was straightforward. Yair explained that although symbolic links could only be created by an administrator (which he wasn’t during the experiment), junctions, albeit restricted to pointing to a directory rather than an individual file, could be generated by anyone. Leveraging this, Yair created junctions to locations beyond OneDrive’s directory, granting the ability to create, modify, or delete files on the local machine.
OneDrive has safeguards that ensure there are shadow copies of files that can be recovered in the event of an attack, preventing ransomware from erasing backups. However, Yair found a loophole in the OneDrive app for Android, which used a distinct API compared to other OneDrive apps. Exploiting this difference, Yair was able to erase the original copies of encrypted files in a manner that rendered them irretrievable, leaving the victim only with encrypted backups of the encrypted files.