August 17, 2024 at 10:37AM
Mad Liberator, a new data extortion group, targets AnyDesk users by using fake Microsoft Windows update screens to distract while exfiltrating data. The group claims to use AES/RSA algorithms to lock files but did not encrypt data in observed attacks. They drop ransom notes on shared network directories as a visibility tactic. If victims don’t respond, stolen files are published.
From the meeting notes, it is clear that a new data extortion group called Mad Liberator is targeting AnyDesk users. They utilize a fake Microsoft Windows update screen to distract users while exfiltrating data from the target devices. The operation emerged in July and involves using AES/RSA algorithms to lock files. The attack starts with an unsolicited connection to a computer using the AnyDesk remote access application. Once the connection request is approved, the attackers drop a fake Microsoft Windows Update screen to distract the victim while data is stolen from OneDrive accounts, network shares, and local storage using AnyDesk’s File Transfer tool. Mad Liberator then drops ransom notes on the shared network directories, even though no data encryption is performed. They also engage in an extortion process, offering to help breached firms fix their security issues and recover encrypted files if their monetary demands are met. If the demands are not met, the stolen files are published on the Mad Liberator website.