A newly tracked ransomware group called Mad Liberator is targeting AnyDesk users by using fake Windows update screens to mask its data theft. The group's activity began in July, and while there are no reports of data encryption, they claim to use AES/RSA algorithms to lock files.
Attack method
The attack begins when Mad Liberator establishes an unauthorized connection to a computer using the AnyDesk application, which is commonly used by IT teams to manage corporate systems. It is unclear how the group selects its targets, but it is possible that they try random AnyDesk connection IDs until one is accepted.Sophisticated diversion tactics
Once the connection is established, the group uploads a binary file called “Microsoft Windows Update” to the system, displaying a fake update screen to distract the victim. While the victim is distracted, Mad Liberator uses AnyDesk’s File Transfer tool to steal data from OneDrive accounts, network shares, and local storage. The group also disables the victim’s keyboard to avoid interruption during the data theft process.Blackmail and threats
Mad Liberator leaves ransom notes on network directories to ensure victims notice. The group states on its darknet site that it will contact compromised companies, offering to help fix the security issue and restore the encrypted files if the ransom demand is met.If victims do not respond within 24 hours, their names will be published on the ransom portal. Five days after the ultimatum is given, if no payment is made, all stolen files will be posted publicly. Mad Liberator's website currently lists nine victims .
Cre : whitehat.vn
No comments: