The Mad Liberator Ransomware Group Uses Social-Engineering Techniques

By Pierluigi Paganini
August 19, 2024

New Cybercrime Group Targets AnyDesk Users

The cybersecurity landscape has seen the emergence of a new ransomware group called Mad Liberator, which is particularly focused on exploiting users of the popular remote-access application, AnyDesk. As reported by the Sophos X-Ops Incident Response team, the group has employed ingenious tactics, including the use of a deceptive Microsoft Windows update screen, to mask their malicious activities, specifically data exfiltration.

The Operations of Mad Liberator

Since gaining traction in July 2024, Mad Liberator has been distinctive in its approach. Unlike traditional ransomware groups that prioritize data encryption, Mad Liberator focuses on exfiltrating sensitive information. Their operational strategy mirrors that of other extortion groups, which notably includes running a leak site to publicly name and shame their victims.

Social Engineering at its Core

Mad Liberator predominantly relies on social engineering techniques to infiltrate targeted organizations. They specifically target those that utilize remote access tools, like AnyDesk. This method includes misleading potential victims into believing that connection requests are legitimate, typically from their IT departments.

AnyDesk provides users with a unique 10-digit ID for remote access, enabling others to request control over their devices. However, the means by which attackers select specific IDs remains unclear. Randomly cycling through a multitude of potential IDs could be deemed inefficient, given the vast number of combinations.

Deception Through Familiar Interfaces

When a connection request through AnyDesk is made, a pop-up appears, requiring user authorization for the connection to be fulfilled. A notable case documented by the Sophos team involved a victim who was familiar with AnyDesk as a tool used by their company’s IT department. Consequently, the victim, assuming the request to be benign, approved the connection. Once established, the attackers transferred a binary file disguised as a “Microsoft Windows Update” onto the victim’s device.

The Fake Windows Update Ruse

The malware employed by Mad Liberator mimics a Windows Update screen. This guise is effective in preventing detection by most antivirus software. To further entrench their deception, the attackers disable the user’s keyboard and mouse inputs via AnyDesk, making it virtually impossible for victims to exit the false update interface. This coordinated ruse allows the attack to progress unseen.

Data Exfiltration Techniques

With the fake update screen in place, the attackers exploited the established connection to access the victim’s OneDrive account and their files on central servers. Using AnyDesk’s File Transfer feature, they effectively exfiltrated the data. Rather than vertically integrating within the organization’s network, the attackers utilized Advanced IP Scanner to assess other devices for potential exploitation but did not pursue lateral movement.

After securing the desired information, they created ransom notes in various locations across a shared network, rather than on the victim’s device itself. Researchers noted that this process was designed to operate for nearly four hours before the attacker concluded the session and terminated the fake update screen, thus resurfacing control back to the unsuspecting victim.

Implications for Cybersecurity Practices

The series of operations executed by Mad Liberator underscores the imperative for ongoing staff training and clearly defined protocols regarding remote access sessions. Organizations are advised to utilize Access Control Lists on AnyDesk that restrict connections exclusively to specified devices.

As Mad Liberator emerges as a player in the ransomware realm, the social engineering tactics visible in their operations are not particularly novel but rather indicative of an ongoing trend in cybercrime—one that exploits both human vulnerabilities and the technical layers of security.