August 15, 2024 at 06:38AM
Mad Liberator, a new extortion gang, targets organizations using social engineering and the remote-access tool Anydesk to steal data and demand ransom. While not encrypting data, they use double-extortion tactics and operate a leak site. Anydesk advises implementing security measures to prevent such attacks. The gang’s emergence aligns with a rise in ransomware activity in 2024.
The meeting notes detail the activities of a new extortion gang called Mad Liberator, which uses social engineering and the remote-access tool Anydesk to steal organizations’ data and demand ransom payments. Although Sophos X-Ops calls them a ransomware group, they have not observed any data encryption linked to Mad Liberator, only data exfiltration.
Mad Liberator employs double-extortion tactics, first stealing data and then encrypting systems, threatening to leak the stolen files unless the victim pays up. They operate a leak site to shame victims and claim that stolen information can be downloaded for free.
The gang targets victims using remote access tools like Anydesk, taking advantage of unsuspecting employees who are more likely to accept access requests from seemingly legitimate sources.
A concerning aspect is that the attackers could theoretically cycle through 10 billion 10-digit Anydesk IDs, although there is no indication of previous contact between the attacker and victim. Victims are often tricked into granting access, assuming the connection request is from their IT department.
Mad Liberator gains control of victims’ machines, accessing their files and using tools like Anydesk FileTransfer and Advanced IP Scanner to steal data and check for additional compromised devices. After stealing the files, they run a program with a ransom note, demanding payment to prevent the disclosure of the stolen files.
The attack typically lasts around four hours, after which the attacker terminates the fake update screen and ends the Anydesk session, returning control of the device to the victim.
The emergence of Mad Liberator coincides with an expected increase in ransomware activities in 2024, according to a half-year review published by Palo Alto Networks’ Unit 42. The review monitored 53 ransomware groups’ activities and noted a year-over-year increase in the number of posts on leak sites.
Overall, the meeting notes provide a detailed account of Mad Liberator’s tactics and activities, along with insights into the broader landscape of ransomware activities in 2024.