Mad Liberator extortion crew emerges on the cyber-crook scene

A new extortion gang called Mad Liberator uses social engineering and the remote-access tool Anydesk to steal organizations' data and then demand a ransom payment, according to Sophos X-Ops.

The incident response team observed the cyber crime crew first emerged in mid-July. And while Sophos X-Ops calls it a ransomware group, it has not seen any data encryption linked to Mad Liberator – just data exfiltration.

However, the threat hunters point to watchguard.com's info, which indicates the group does use encryption to lock victims' files. It also uses double-extortion tactics: first stealing data, then encrypting the systems and threatening to leak the stolen files unless the victim pays up.

Mad Liberator also operates a leak site to name and shame victims, and claims that stolen information can be downloaded for free.

Mad Liberator targets victims using remote access tools like Anydesk – because it's a legitimate application used by many IT desks to manage remote devices, unsuspecting employees are more likely to click "accept" when they get a request from someone who wants to access their device.

It's worth noting that Anydesk does provide guidance on how administrators can implement policies to allow only connections from specific devices, plus other security measures, to help prevent this type of attack.

Anydesk allows remote access by assigning a unique 10-digit address to every device upon which it is installed. The user can then request access to a remote device via this 10-digit ID, or can invite someone else to take control of their device via a remote session.

"We don't know at this point how, or if, the attacker targets a particular Anydesk ID," noted Sophos IR leads Paul Jacobs and Lee Kirkpatrick in research published on Wednesday.

While, theoretically, the attackers could cycle through 10 billion 10-digit IDs, this isn't very practical. Plus, there was no indication of previous contact between the attacker and victim, nor was the victim a "prominent or publicly visible member of staff."

Six ransomware gangs behind over 50% of 2024 attacks Feds bust minor league Radar/Dispossessor ransomware gang Russian cyber snoops linked to massive credential-stealing campaign Sneaky SnakeKeylogger slithers into Windows inboxes to steal sensitive secrets

In one particular case, Sophos noted the victim knew that their company's IT department used Anydesk, and therefore assumed the connection request was legit. So when they saw the pop-up asking them to authorize the connection and thus allow someone else access to their device, they assumed it was IT and clicked "accept."

After gaining access to the device, the extortionist deployed and executed a binary titled "Microsoft Windows Update" that mimics a Windows update screen. Here's the the SHA256 hash:

F4b9207ab2ea98774819892f11b412cb63f4e7fb4008ca9f9a59abc2440056fe

Sophos has developed a detection [Troj/FakeUpd-K] for this binary.

After gaining control of the victim's machine, the criminal then accessed a OneDrive account linked to the device, plus files located on a central server that were accessible via a mapped network share.

The digital crook used the Anydesk FileTransfer facility to steal files and Advanced IP Scanner to check for additional devices to compromise. Apparently none of those looked too interesting, because they didn't jump over to additional devices.

After stealing the files, the Mad Liberator crew ran another program with the ransom note, providing details on how to pay to prevent disclosure of the files.

"The attack lasted almost four hours, at the conclusion of which the attacker terminated the fake update screen and ended the Anydesk session, giving control of the device back to the victim," Jacobs and Kirkpatrick wrote.

"We did note that the binary was manually triggered by the attacker; with no scheduled task or automation in place to execute it again once the threat actor was gone, the file simply remained on the affected system," they added.

Mad Liberator's emergence comes just as ransomware groups overall are looking to have a banner year in 2024 – despite recent law enforcement disruptions.

In a half-year ransomware review published by Palo Alto Networks' Unit 42, the threat intel team monitored 53 ransomware groups' underworld websites and totaled their victim counts over the first six months of 2024. Unit 42 counted 1,762 posts on these leak sites – a 4.3 percent year-over-year increase from 2023. ®