The tactics of a ransomware group known as Mad Liberator are currently under examination by the Sophos X-Ops Incident Response team. Mad Liberator is a relatively new threat actor that first appeared in mid-July 2024. The group is utilizing certain techniques involving the popular remote-access application Anydesk, as highlighted in the investigation carried out by Sophos X-Ops.
Mad Liberator’s focus seems to be on data exfiltration, rather than data encryption, although there have been instances where encryption and double extortion tactics have been employed. The group operates a leak site where they publish victim details to pressure them into paying the ransom. Through social engineering tactics, Mad Liberator gains access to victims’ environments, particularly targeting those using remote access tools like Anydesk.
The attack by Mad Liberator involves sending unsolicited Anydesk connection requests to potential victims. Once the victim accepts the connection request, the attacker gains access to the victim’s device and executes a binary file disguised as a fake Windows Update. This allows the attacker to disable input from the victim’s keyboard and mouse, preventing any interference with their activities.
During the attack, the attacker exfiltrates data from the victim’s device and network, including accessing the victim’s OneDrive account and central server files. The attacker then generates ransom notes threatening to disclose the stolen data unless a ransom is paid. The attack is designed to go undetected by antivirus software, making it difficult for the victim to realize they have been compromised.
To mitigate the risk of such attacks, Sophos recommends implementing Anydesk Access Control Lists to restrict connections only to specific devices. Additionally, organizations should provide ongoing staff training on cybersecurity awareness and clearly define protocols for remote sessions initiated by IT departments.
In conclusion, Mad Liberator’s tactics highlight the evolving nature of ransomware attacks and the need for organizations to prioritize cybersecurity measures. By staying informed and implementing security best practices, businesses can reduce their vulnerability to such threats. The investigation into Mad Liberator serves as a reminder of the importance of proactive cybersecurity measures in today’s digital landscape.