New ‘Mad Liberator’ Ransomware Gang Targets AnyDesk Users via Fake Windows Updates 

• A ransomware group that emerged in July targets unsuspecting enterprise AnyDesk users in their operation.
• A fake Windows Update screen appears while exfiltrating private data from the victim’s device.
• The cybercriminals are asking for ransom, but security researchers say the files are not encrypted.

A July-activated ransomware group named Mad Liberator is targeting the companies that use remote control service AnyDesk, the latest Sophos report says. The attackers run a fake screen pretending to install Microsoft Windows updates to distract the victims while exfiltrating their data in the background.

Mad Liberator initiates an unsolicited connection to a computer using AnyDesk, which is widely used by enterprise IT teams, probably by trying potential AnyDesk connection IDs.

When unsuspecting workers accept, the attacker transfers a binary to the victim’s device, named “Microsoft Windows Update” in the analyzed sample, then manually executes it, displaying a splash screen mimicking an animated Windows Update screen and disabling the keyboard and mouse.

The threat actor used the AnyDesk File Transfer tool to exfiltrate information from the OneDrive account linked to the device and central server-stored files accessible via a mapped network share.

The attacker then used an Advanced IP Scanner for lateral movement, searching for other exploitable devices within the same subnet. 

The gang’s leak site, which currently lists nine victims, mentions using AES/RSA encryption algorithms, but the security researchers did not see any incidents related to locking files. 

However, several ransom notes were left on the shared network directories for maximum visibility, which say that not paying the ransom in 7 days would result in an alleged publication of the stolen files on the group’s leak site.

In recent news, security researchers found vulnerabilities in ransomware gangs’ leak sites. Six victims of extortion groups such as Everest, Mallox, and BlackCat were exempt from paying the ransom, as the simple flaws include coding errors and security bugs.