New Ransomware Gang, Mad Liberator and the Abuse of AnyDesk

The emergence of a new ransomware group known as "Mad Liberator" was unveiled by Sophos researchers. Beginning operations in mid-July 2024, this group has leveraged social engineering tactics to exploit remote access software, such as AnyDesk, gaining unauthorized access to victims' systems. Insights from Sophos state, "We don’t know at this point how, or if, the attacker targets a particular Anydesk ID...In an instance that the Incident Response team investigated, we found no indications of any contact between the Mad Liberator attacker and the victim prior to the victim receiving an unsolicited Anydesk connection request." This suggests that the attackers may randomly or opportunistically choose their targets without prior interaction. Their operations focus on data exfiltration rather than data encryption, favoring speed over other tactics. However, there is potential for the group to develop and deploy an encryptor if additional leverage is needed for extortion.

During their intrusions, the operators have leveraged AnyDesk in environments where a connection request would not be abnormal for a user, leading them to suspect the connection is associated with IT support. In one documented instance, "the victim was aware that AnyDesk was used by their company’s IT department. They, therefore, assumed that the incoming connection request was just a usual instance of the IT department performing maintenance, and so clicked Accept," illustrating the effectiveness of the group's strategy to exploit everyday business practices for malicious intent. Once the connection is established, Mad Liberator moves to disable user inputs, as identified in the ad.trace file "Disabling user input."

The attack then transitions to the exfiltration phase, where Mad Liberator accesses and steals sensitive data from sources like OneDrive, central servers, and mapped network shares. Sophos reports that the attackers utilize tools such as Advanced IP Scanner to survey the network for additional targets, although no lateral movements have been observed. Sophos advises, "It can be a difficult task to balance security against usability when implementing tools within an environment, especially when these tools help facilitate remote access for the very people tasked with caring for business-critical systems." Organizations are encouraged to enforce strict access controls, conduct regular security training, and maintain vigilant monitoring to detect and respond to such threats promptly.