This crafty ransomware uses an unusual social-engineering tactic to gain access to victim systems

Lock on Laptop Screen
(Image credit: Shutterstock.com) (Image credit: Future)

Cybersecurity researchers from the Sophos X-Ops Incident Response team have observed hackers deploying an unusual social engineering tactic to gain access to victim systems and steal sensitive data.

The team outlined how a new ransomware player called Mad Liberator emerged in mid-July 2024, mostly focused on data exfiltration (rather than system encryption), but also sometimes engaged in double extortion (encryption + data theft). It also has a data leak website where it threatens to publish the stolen data unless the victims pay up.

What sets Mad Liberator apart from other threat actors is their initial access vector. Usually, hacking groups would trick their way inside, usually with phishing email or instant messaging services. In this case, however, they seem to have “guessed” the unique Anydesk identifier.

Abusing legitimate software

Anydesk is a legitimate remote desktop application used by thousands of businesses worldwide. Each device where Anydesk is installed gets a unique identifier, a 10-digit number, which other endpoints can “dial” and thus gain access to. Oddly enough, the attackers one day just dialed into one of the computers belonging to the victim organization, seemingly with absolutely no prior interaction. The computer that was targeted also does not belong to any high-profile employee or manager.

The victim just assumed the IT department was doing regular maintenance so they accepted the dial-in, no questions asked.

This gave the attackers unabated access, which they used to deploy a binary that, on the surface, looks like a Windows update. They also disabled keyboard input from the victim’s side, to make sure they don’t spot the ruse by accidentally pressing the Esc button and minimizing the running program.

After a few hours, the crooks managed to pull sensitive data from the device, connected cloud services, and scanned for other connected devices they might pivot to.

Once again, “assume nothing, suspect everything” proves to be the proper mindset to remain secure in the workplace.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.