Friend
Professional
- Messages
- 2,669
- Reaction score
- 943
- Points
- 113
The new group changes the usual paradigm of ransomware.
In July, a new group of ransomware, Mad Liberator, appeared in cyberspace, using the Anydesk program and social engineering techniques to break into companies ' systems, steal data and demand ransom. Sophos revealed the group's attack methods using the example of one incident under investigation.
Unlike most ransomware, Mad Liberator does not encrypt files, but focuses on information theft and threats of leaks. Mad Liberator also maintains a website where it publishes stolen data if the ransom has not been paid.
To break into systems, Mad Liberator uses Anydesk, which is often used in companies for remote computer management. Victims, unaware of the danger, accept connection requests, assuming that the request comes from the organization's IT department. After gaining access to the device, attackers start a fake Windows update process.
While the user watches the fake update, hackers gain access to OneDrive storage and files on the company's server. Using the FileTransfer function in Anydesk, attackers download confidential data, and also use the Advanced IP Scanner tool to try to examine other devices on the network. In this case, the ransomware did not find any valuable systems for itself, and was limited only to the main computer. After the theft is completed, hackers leave a ransom note on the device.
The attack lasted almost 4 hours, after which the attackers completed the fake update and disabled the Anydesk session, returning control of the device to the victim. Interestingly, the malware was launched manually, without an automatic restart. In other words, the malware remained inactive on the victim's system after the attack was completed.
Source
In July, a new group of ransomware, Mad Liberator, appeared in cyberspace, using the Anydesk program and social engineering techniques to break into companies ' systems, steal data and demand ransom. Sophos revealed the group's attack methods using the example of one incident under investigation.
Unlike most ransomware, Mad Liberator does not encrypt files, but focuses on information theft and threats of leaks. Mad Liberator also maintains a website where it publishes stolen data if the ransom has not been paid.
To break into systems, Mad Liberator uses Anydesk, which is often used in companies for remote computer management. Victims, unaware of the danger, accept connection requests, assuming that the request comes from the organization's IT department. After gaining access to the device, attackers start a fake Windows update process.
While the user watches the fake update, hackers gain access to OneDrive storage and files on the company's server. Using the FileTransfer function in Anydesk, attackers download confidential data, and also use the Advanced IP Scanner tool to try to examine other devices on the network. In this case, the ransomware did not find any valuable systems for itself, and was limited only to the main computer. After the theft is completed, hackers leave a ransom note on the device.
The attack lasted almost 4 hours, after which the attackers completed the fake update and disabled the Anydesk session, returning control of the device to the victim. Interestingly, the malware was launched manually, without an automatic restart. In other words, the malware remained inactive on the victim's system after the attack was completed.
Source
