Mad Liberator Targets Companies with Anydesk and Social Engineering

In July, a new ransomware group known as Mad Liberator emerged in cyberspace, utilizing the Anydesk application and social engineering techniques to infiltrate company systems, steal data, and demand ransom. Sophos experts uncovered the group’s attack methods through the examination of a specific incident.

Unlike most ransomware, Mad Liberator does not encrypt files but focuses on stealing information and threatening to leak it. Mad Liberator also maintains a website where they publish the stolen data if the ransom is not paid.

To infiltrate systems, Mad Liberator uses Anydesk, a tool commonly employed by companies for remote computer management. Unaware of the danger, victims accept connection requests, believing they originate from their organization’s IT department. Once access to the device is gained, the attackers initiate a fake Windows update process.

While the user watches the bogus update, the hackers gain access to the company’s OneDrive storage and server files. Utilizing the FileTransfer feature in Anydesk, the attackers download confidential data and use the Advanced IP Scanner tool to probe other devices on the network. In this particular case, the ransomware operators did not find any valuable systems beyond the primary computer. After completing the data theft, the hackers leave a ransom note on the device.

The attack lasted nearly four hours, after which the attackers concluded the fake update and terminated the Anydesk session, returning control of the device to the victim. Notably, the malicious software was launched manually, without automatic restarting, meaning the malware remained dormant on the victim’s system after the attack was concluded.