Keypoints
- Ransomware actors increasingly target cloud storage platforms, with OneDrive highlighted as a common target.
- Initial access is often achieved via credential theft, stolen tokens, or by abusing registered applications and their permissions.
- Because OneDrive does not execute arbitrary code, attackers use external storage or services to download, encrypt, and then re-upload files.
- Threat actors may tamper with versioning, recycle bins, or delete original files to frustrate recovery and increase pressure to pay.
- Effective threat hunting requires thinking like the attacker and looking for suspicious patterns in Graph API usage, token activity, and anomalous file transfers.
- Prevention focuses on strict user access controls, securing application permissions, enforcing MFA and conditional access, and isolating backups.
MITRE Techniques
- [T1078] Initial Access – Used to gain entry with valid credentials or tokens. [‘Gaining access through stolen credentials or tokens.’]
- [T1003] Credential Dumping – Extracting access tokens or credentials from compromised endpoints to re-use for cloud access. [‘Extracting access tokens from compromised devices.’]
- [T1071] Application Layer Protocol – Leveraging the Microsoft Graph API to perform malicious actions against cloud-stored files. [‘Utilizing Microsoft Graph API for malicious actions.’]
- [T1486] Data Encrypted for Impact – Encrypting files in cloud storage to deny access and demand ransom. [‘Encrypting files to disrupt access and demand ransom.’]
- [T1565] Data Manipulation – Modifying or replacing files with encrypted content and removing originals to prevent recovery. [‘Modifying files with encrypted content or deleting original files.’]
- [T1105] Remote File Copy – Downloading files from OneDrive to attacker-controlled storage to perform encryption or tampering. [‘Downloading files from OneDrive to attacker-controlled storage.’]
Indicators of Compromise
- [No IoC Found] The article does not publish any IP addresses, file hashes, domains, filenames, or other concrete indicators of compromise.
The growth of ransomware that targets cloud storage services has shifted attention from on-premises backups to the protections and controls that govern cloud accounts. Attackers are adapting by focusing on user identities, application permissions, and cloud APIs rather than trying to run code directly inside services like OneDrive. Because cloud platforms typically do not allow arbitrary execution within storage, adversaries rely on exfiltrating files to systems they control or abusing API functionality to rewrite content, then re-upload encrypted versions or remove originals to disrupt recovery.
Initial access often comes through compromised credentials, stolen OAuth tokens, or by exploiting overly permissive registered applications. Once they have valid tokens or an authorized app, attackers can call the Microsoft Graph API to list, download, and upload files at scale. In practice this means adversaries may download user files to external infrastructure where they perform encryption, then push encrypted files back to OneDrive or delete the originals, effectively turning cloud storage into the target of a ransomware campaign without executing a traditional payload inside the service.
Beyond the encryption phase, threat actors frequently attempt to frustrate incident response by manipulating recovery mechanisms. They may delete or alter file versions, empty recycle bins, and change retention settings so that automated recovery and version rollback are ineffective. These steps increase the likelihood victims will pay or be forced into lengthy restoration processes.
Detecting these attacks requires defenders to look at cloud-native signals and think from the attacker’s perspective. Useful indicators include unusual Graph API patterns, anomalous token usage (such as long-lived tokens being used from new IPs or devices), unexpected app consent grants, large-scale file downloads followed by uploads of new or modified files, and actions that alter versioning or retention policies. Correlating API activity with identity events, device telemetry, and network indicators helps build a clearer picture of suspicious behavior.
Preventive measures center on strengthening identity and application governance. Enforce multifactor authentication, apply conditional access policies, and restrict administrative privileges. Limit and audit application permissions and consent grants, require just-in-time or time-bound privileges for service principals, and monitor for creation of new registered apps. Maintain isolated, immutable backups that do not rely solely on the same cloud accounts used for primary storage. Regular threat hunting exercises that simulate attacker tactics and review Graph API logs will improve detection and reduce dwell time.
When responding to an incident, treat cloud storage compromises as identity-driven breaches: contain affected credentials and app permissions, revoke tokens, preserve logs, assess the scope of downloaded or modified files, and restore from isolated backups where available. Coordination between identity, cloud, and endpoint teams is critical to remove attacker footholds and validate that recovery processes are effective.
Read more: https://www.hunters.security/en/blog/hunting-ransomware-in-onedrive