There’s a new ransomware gang on the block, and it’s exploiting the human element


A new threat actor dubbed "Mad Liberator” appeared in mid-July and is already stirring trouble for companies. According to researchers, the ransomware gang relies on social engineering tactics and sometimes doesn’t even bother to encrypt the data after it’s been stolen.

The Sophos X-Ops Incident Response team has discovered and investigated a new threat actor. Mad Liberator appears to target users of Anydesk, a popular remote-access application.

So far, Mad Liberator has focused on data exfiltration, and the Sophos security team hasn’t observed any incidents of data encryption. However, data from the security platform WatchGuard suggests that the threat actor uses encryption occasionally and employs double extortion tactics.

ADVERTISEMENT

At least eight known victims have already been reported, all from different sectors and countries.

Mad Liberator has created a leak site where it publishes victim details to pressure them into paying. The data is allegedly posted “for free” when the victims don’t pay to decrypt.

One mysterious aspect of this threat actor is how it gains initial ground.

madlib

According to the Sopjos X-Ops report, Mad Liberator uses “social engineering techniques to obtain environment access, targeting victims who use remote access tools installed on endpoints and servers.”

However, researchers don’t know how attackers choose particular targets. They theorize that it is possible for attackers to cycle through potential addresses until someone accepts a connection request. Anydesk allocates a unique ten-digit ID, and there are 10 billion potential combinations.

“In an instance that the Incident Response team investigated, we found no indications of any contact between the Mad Liberator attacker and the victim prior to the victim receiving an unsolicited Anydesk connection request,” researchers said.

“The attack did not involve any additional social engineering efforts by the attacker – no email contact, no phishing attempts, and so forth.”

ADVERTISEMENT

A request to connect comes from someone with the username “User.” However, on Anydesk, attackers can choose any moniker, such as “Tech Support.”

In the analyzed incident, the victim assumed that the incoming request was coming from an IT department and clicked “Accept.”

Once inside, the attacker transferred a malicious file titled “Microsoft Windows Update” and executed it. The victim saw an animated screen mimicking the Windows Update screen. The attacker was unable to deliver the malicious package as the malware was detected by the endpoint detection and response solution.

The malicious actor then continued his attempt by disabling input from the user’s keyboard and mouse, accessing the OneDrive account, and transferring company files. It left numerous ransom notes in multiple locations on a shared network. The notes included threats of reputational and regulatory damage and further attacks.

“The fake Windows Update screen shielded the attacker’s actions from being seen on the victim’s screen. The attack lasted almost four hours, at the conclusion of which the attacker terminated the fake update screen and ended the Anydesk session, giving control of the device back to the victim,” the researchers described.

They suggest administrators implement the Anydesk Access Control List to only allow connections from specific devices.

It's unclear at this point whether Mad Liberator will prove to be a significant ransomware gang or is just a “flash in the pan.”

ADVERTISEMENT