This crafty ransomware uses an unusual social-engineering tactic to gain access to victim systems

News
By published

Randomly dialing into Anydesk instances is now a thing?

Lock on Laptop Screen
(Image credit: Shutterstock.com) (Image credit: Future)

Cybersecurity researchers from the Sophos X-Ops Incident Response team have observed hackers deploying an unusual social engineering tactic to gain access to victim systems and steal sensitive data.

The team outlined how a new ransomware player called Mad Liberator emerged in mid-July 2024, mostly focused on data exfiltration (rather than system encryption), but also sometimes engaged in double extortion (encryption + data theft). It also has a data leak website where it threatens to publish the stolen data unless the victims pay up.

What sets Mad Liberator apart from other threat actors is their initial access vector. Usually, hacking groups would trick their way inside, usually with phishing email or instant messaging services. In this case, however, they seem to have “guessed” the unique Anydesk identifier.

Abusing legitimate software

Anydesk is a legitimate remote desktop application used by thousands of businesses worldwide. Each device where Anydesk is installed gets a unique identifier, a 10-digit number, which other endpoints can “dial” and thus gain access to. Oddly enough, the attackers one day just dialed into one of the computers belonging to the victim organization, seemingly with absolutely no prior interaction. The computer that was targeted also does not belong to any high-profile employee or manager.

The victim just assumed the IT department was doing regular maintenance so they accepted the dial-in, no questions asked.

This gave the attackers unabated access, which they used to deploy a binary that, on the surface, looks like a Windows update. They also disabled keyboard input from the victim’s side, to make sure they don’t spot the ruse by accidentally pressing the Esc button and minimizing the running program.

After a few hours, the crooks managed to pull sensitive data from the device, connected cloud services, and scanned for other connected devices they might pivot to.

Once again, “assume nothing, suspect everything” proves to be the proper mindset to remain secure in the workplace.

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
Microsoft Teams and other Windows tools hijacked to hack corporate networks
ransomware avast
Hackers spotted using unsecured webcam to launch cyberattack
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Interlock ransomware attacks highlight need for greater security standards on critical infrastructure
Concept art representing cybersecurity principles
How to combat exfiltration-based extortion attacks
Shutterstock.com / kanlaya wanon
Microsoft Teams abused in Russian email bombing ransomware campaign
A group of 7 hackers, 6 slightly blurred in the background and one in the foreground, all wearing black with hoods pulled up over their heads. You cannot see their faces. The hacker in the foreground sits with an open laptop in front of them. The background, behind the hackers, is a Chinese flag
China government-linked hackers caught running a seriously dangerous ransomware scam
Latest in Security
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Lock on Laptop Screen
Medusa ransomware is able to disable anti-malware tools, so be on your guard
An abstract image of digital security.
Fake file converters are stealing info, pushing ransomware, FBI warns
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Coinbase targeted after recent Github attacks
hacker.jpeg
Key trusted Microsoft platform exploited to enable malware, experts warn
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
Latest in News
Nikon Z5
The Nikon Z5 II could land soon – here's what to expect from Nikon's rumored entry-level full-frame camera
Google Pixel Watch 3
Google Pixel Watches hit with delayed notifications, crashing, and performance issues following Wear OS 5.1 update
Zendesk Relate 2025
Zendesk Relate 2025 - everything you need to know as the event unfolds
Disney Plus logo with popcorn
You can finally tell Disney+ to stop bugging you about that terrible Marvel show you regret starting
Google Gemini AI
Gemini can now see your screen and judge your tabs
Girl wearing Meta Quest 3 headset interacting with a jungle playset
Latest Meta Quest 3 software beta teases a major design overhaul and VR screen sharing – and I need these updates now
More about security
An abstract image of digital security.

Fake file converters are stealing info, pushing ransomware, FBI warns
Microsoft

"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Nikon Z5

The Nikon Z5 II could land soon – here's what to expect from Nikon's rumored entry-level full-frame camera
See more latest
Most Popular
Nikon Z5
The Nikon Z5 II could land soon – here's what to expect from Nikon's rumored entry-level full-frame camera
Google Pixel Watch 3
Google Pixel Watches hit with delayed notifications, crashing, and performance issues following Wear OS 5.1 update
Frank Castle pinning Matt Murdock against a locker in Daredevil: Born Again episode 4
What time is Daredevil: Born Again episode 5 going to be released on Disney+?
AMD Ryzen 9950X
I analyzed 25 AMD Zen 4 and Zen 5 CPUs and the Ryzen 9 9900X is the best of them all right now: Here’s why
Ugreen \00d7 Genshin Impact Kinich Collectible Gift Box and exclusive Genshin Impact merchandise.
Ugreen reveals exclusive Genshin Impact collection and they're some of the most eye-catching charging products I've ever used
Zendesk Relate 2025
Zendesk Relate 2025 - everything you need to know as the event unfolds
Google Gemini AI
Gemini can now see your screen and judge your tabs
iFi iDSD Valkyrie in gold, on a beige desk
iFi's iDSD Valkyrie DAC wants to guide your music to the great hall of Valhalla
The Samsung Galaxy S25 Edge on display the January 22, 2025 Galaxy Unpacked event.
A fresh Samsung Galaxy S25 Edge leak hints at a 2K display and a titanium frame
Philips Hue
Philips Hue might be working on a video doorbell, and according to a new report, we just got our first look at it