New ‘Mad Liberator’ Ransomware Gang Targets AnyDesk Users via Fake Windows Updates 

Published on August 19, 2024
Written by:
Lore Apostol
Lore Apostol
Cybersecurity & Streaming Writer

A July-activated ransomware group named Mad Liberator is targeting the companies that use remote control service AnyDesk, the latest Sophos report says. The attackers run a fake screen pretending to install Microsoft Windows updates to distract the victims while exfiltrating their data in the background.

Mad Liberator initiates an unsolicited connection to a computer using AnyDesk, which is widely used by enterprise IT teams, probably by trying potential AnyDesk connection IDs.

When unsuspecting workers accept, the attacker transfers a binary to the victim’s device, named “Microsoft Windows Update” in the analyzed sample, then manually executes it, displaying a splash screen mimicking an animated Windows Update screen and disabling the keyboard and mouse.

Mad Liberator Website Group
Image Source: Sophos

The threat actor used the AnyDesk File Transfer tool to exfiltrate information from the OneDrive account linked to the device and central server-stored files accessible via a mapped network share.

The attacker then used an Advanced IP Scanner for lateral movement, searching for other exploitable devices within the same subnet. 

Malicious AnyDesk Call
Image Source: Sophos

The gang’s leak site, which currently lists nine victims, mentions using AES/RSA encryption algorithms, but the security researchers did not see any incidents related to locking files. 

However, several ransom notes were left on the shared network directories for maximum visibility, which say that not paying the ransom in 7 days would result in an alleged publication of the stolen files on the group’s leak site.

In recent news, security researchers found vulnerabilities in ransomware gangs’ leak sites. Six victims of extortion groups such as Everest, Mallox, and BlackCat were exempt from paying the ransom, as the simple flaws include coding errors and security bugs.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: