Microsoft claims that OneDrive could be an effective tool to counter the ransomware but, according to some computer security experts, this is not the case.
Research published this week and presented by Or Yair Of SafeBreach on the occasion of the event Black Hat, the Microsoft tool is to be considered as a “double agent”. The data collected, in fact, would demonstrate how the system cloud is able to turn against its users, becoming very dangerous.
According to Or Yair, in fact “Microsoft describes OneDrive as a haven against ransomware […] used for ransomware data recovery and Microsoft even recommends users to store important files in it because they are better protected in the cloud“.
However, as the researcher later demonstrated during his talk, a series of mistakes by both Microsoft and third-party vendors show that this software is easy to fool, tending to encrypt any data it can link to.
OneDrive “double agent”? Here’s how you can bypass its security systems
The cloud storage service offered by Microsoft, commonly used to synchronize files between remote servers of the IT giant and local computers, therefore represents a hidden danger on our PCs.
And cybercriminaleTo take action on OneDrive and use it to your advantage, you must first gain access to your account. This stage is not complicated, if the same works on a machine Windows compromised.
OneDrive, by its nature, stores all its log file. Those logs, in turn, contain session tokens that Yair said he was able to extract from the log file once he took a copy and parsed it.
With the token obtained, the next step is to exit the OneDrive directories and edit the same. “Once we create links with areas outside the OneDrive directory, we get a situation where it is possible to create, edit or delete files on a local machineYair said.
OneDrive includes features that prevent ransomware from destroying i backup, ensuring that you have backup copies of your files. These, therefore, can be restored in the event of an attack, although Yair claims to have been able to subvert those functionalities too (through the specific app for Android).
An API used by the app is different from other OneDrive apps, and that difference allowed Yair to delete the original copies of files it had encrypted in such a way as to render them unrecoverable, leaving the victim with nothing but inaccessible encrypted backups.