Sophos, a global leader of innovative security solutions for defeating cyberattacks, today shares details of a new ransomware group called Mad Liberator in a post entitled “Don’t Get Mad, Get Wise.” Having first emerged in July 2024, the group uses an unusual social-engineering tactic to gain access to the victim’s environment.

Based on a recent Sophos X-Ops incident response investigation, Mad Liberator targets victims using remote access tools, such as Anydesk, installed on endpoints and servers, to request access and take control of the device.

What’s unusual about this approach is that Sophos X-Ops researchers found no indication of contact between the attacker and victim prior to the victim receiving an unsolicited Anydesk connection desk.

Once the attacker sends an Anydesk connection request:

• Victims receive a pop-up asking them to authorize the connection. For users whose organizations leverage Anydesk, this might not seem unusual
• After a connection is established, the attacker transfers a binary to the victim’s device. This file displays a screen mimicking a Windows Update; meanwhile, the attacker disables input from the user’s keyboard and mouse, rendering them unaware of (and unable to stop) the activity the attacker is performing in the background
• The attacker then accesses the victim’s OneDrive account and uses the Anydesk FileTransfer facility to steal and exfiltrate company files, before scanning for other devices on the same subnet that could be exploited
• While the victim is unaware of this background operation, the attacker shares numerous ransom notes announcing the data has been stolen and how to pay the ransom to prevent disclosure of the stolen files

“We have seen ransomware groups come and go, and this may be the same for Mad Liberator but this new mode of exploitation of remote-access tools is proof of a wider trend in the ransomware industry. Based on the attacks we investigated last year, external remote services are the number-one initial access technique because adversaries rely on the victim believing that the behavior is part of day-to-day activity. As we saw with ScreenConnect, IT remote access tools are a powerful tool in the hands of attackers,” said Christopher Budd, director of threat research, Sophos.

“Mad Liberator is an unusual example. Outside of the remote access request, attackers had no known contact with the victims – no email or phishing attempts – showing just how important it is to communicate remote access protocol to staff and ensure they receive regular, up-to-date training. Administrators should also consider implementing Access Control Lists, to prevent attackers from being able to access unauthorized systems or resources,” he continued.