The Mad Liberator ransomware operation, which emerged last month, has quickly gained attention due to its effective use of social engineering techniques and the remote access tool AnyDesk.
This article explores how Mad Liberator conducts its attacks and the lessons learned from a detailed analysis by Sophos X-Ops, written by threat researchers Paul Jacobs and Lee Kirkpatrick, which offers practical advice for organizations to defend against similar threats.
Attack Methodology
In one documented case, the attackers used AnyDesk, a legitimate remote desktop software, to gain unauthorized access to an organization’s system. The attack began when the victim approved an AnyDesk connection request, believing it to be part of routine IT activities:
- Once the connection was established, Mad Liberator executed a binary designed to emulate a Windows update screen.
- This allowed the attackers to maintain control over the device while they accessed and exfiltrated sensitive data.
- The attackers targeted a linked OneDrive account and centralized server files, using AnyDesk’s FileTransfer facility to steal the data.
- To broaden their reach, they also employed Advanced IP Scanner to identify other devices within the network that could be compromised.
The attack, which lasted nearly four hours, concluded with the attackers relinquishing control of the device back to the victim.
Sophos X-Ops researchers noted that the binary used in the attack was manually triggered, meaning there was no automation in place to re-execute the file once the attackers left the system. As a result, the malicious file remained on the affected system, but it posed no further immediate threat.
Lessons Learned and Mitigations
The Mad Liberator incident underscores the importance of robust security practices and vigilant user training. Here are key lessons and recommended mitigations based on the Sophos analysis:
1. Importance of User Training: The success of the Mad Liberator attack hinged on the victim’s approval of the AnyDesk connection request. This highlights the need for ongoing, up-to-date staff training to ensure that employees recognize and respond appropriately to potential security threats. Organizations should establish and communicate clear policies regarding how IT departments will contact staff and arrange remote sessions. Employees should be trained to verify any unexpected remote access requests, especially those that seem routine.
2. Implement Access Controls: Beyond user education, technical defenses are critical. Administrators should implement AnyDesk Access Control Lists (ACLs) to restrict connections to only specific, trusted devices. This measure can significantly reduce the risk of unauthorized access. AnyDesk provides valuable guidance on how to configure these security features, which can be found on their support page and security blog:
• The Ultimate Guide to AnyDesk’s Security Features
3. Balance Security with Usability: The Mad Liberator case serves as a reminder of the delicate balance between security and usability, particularly when deploying tools that facilitate remote access. It’s crucial to review and adhere to the security recommendations provided by software vendors. If an organization decides to deviate from these recommendations, it should document the decision within its risk management process. This approach ensures that any potential risks are continually assessed, and additional mitigations can be implemented as needed to keep risks within acceptable levels.
Conclusion
Ransomware groups like Mad Liberator represent a constant threat to organizations, and their tactics are continually evolving. While Mad Liberator’s use of social engineering and AnyDesk is noteworthy, it is not unique. Attackers will persist in developing new methods to exploit both human and technical vulnerabilities.