According to Sophos X-Ops, a new extortion gang called Mad Liberator is using social engineering and the Anydesk remote access tool to steal data from organizations and then demand ransom payments.

The incident response team first spotted the cybercrime crew in mid-July. And while Sophos X-Ops calls it a ransomware group, it hasn’t seen any data encryption linked to Mad Liberator – only data exfiltration.

However, threat hunters point to info from watchguard.com, which indicates that the group uses encryption to lock victims’ files. It also uses dual extortion tactics: first stealing data, then encrypting the systems and threatening to leak the stolen files unless the victim pays.

Mad Liberator also operates a leak site to name and shame victims. According to the site, stolen information can be downloaded for free.

Mad Liberator targets victims using remote access tools like Anydesk. Since it is a legitimate application used by many IT departments to manage remote devices, unsuspecting employees are more likely to click “Accept” when they receive a request from someone wanting to access their device.

It’s important to note that AnyDesk provides guidance on how administrators can implement policies to only allow connections from specific devices, plus other security measures to prevent this type of attack.

Anydesk provides remote access by assigning a unique 10-digit address to each device it is installed on. The user can then request access to a remote device using this 10-digit ID, or invite someone else to take control of their device via a remote session.

“We do not know at this time if or how the attacker is targeting a specific AnyDesk ID,” Paul Jacobs and Lee Kirkpatrick, leaders of Sophos IR, said in a study published Wednesday.

While the attackers could theoretically go through 10 billion 10-digit IDs, this isn’t very practical. Additionally, there was no indication of prior contact between the attacker and the victim, nor was the victim a “prominent or publicly visible employee.”

In one particular case, Sophos noticed that the victim knew their company’s IT department was using Anydesk, and therefore assumed the connection request was legitimate. So when they saw the pop-up asking them to authorize the connection and thus grant someone else access to their device, they assumed it was IT and clicked ‘accept’.

After gaining access to the device, the extortionist deployed and executed a binary named “Microsoft Windows Update” that mimics a Windows update screen. Here is the SHA256 hash:

F4b9207ab2ea98774819892f11b412cb63f4e7fb4008ca9f9a59abc2440056fe

Sophos has developed a detection (Troj/FakeUpd-K) for this binary.

Once the criminal gained control of the victim’s computer, he gained access to a OneDrive account associated with the device, plus files on a central server accessible via a mapped network share.

The cybercriminal used the Anydesk FileTransfer facility to steal files and Advanced IP Scanner to check for additional devices to compromise. Apparently none of those devices looked too interesting, because they did not jump to any additional devices.

After the files were stolen, the Mad Liberator team ran another program with the ransom note, which explained how to pay to prevent the files from being made public.

“The attack lasted for nearly four hours. At the end of the attack, the attacker closed the fake update screen and ended the AnyDesk session, giving the victim back control of the device,” Jacobs and Kirkpatrick wrote.

“We observed that the binary was manually activated by the attacker. There was no scheduled task or automation to re-execute the file once the attacker was gone. The file simply remained on the affected system,” they added.

Mad Liberator’s rise comes as ransomware groups in general are looking to have a successful year in 2024, despite recent law enforcement disruptions.

In a semi-annual ransomware study published by Palo Alto Networks’ Unit 42, the threat intel team monitored the underground websites of 53 ransomware groups and tallied the number of victims in the first six months of 2024. Unit 42 counted 1,762 posts on these leak sites — a 4.3 percent increase year-over-year from 2023. ®