data extortion

A new data extortion group called Mad Liberator is targeting AnyDesk users by using a counterfeit Microsoft Windows update screen to exfiltrate data from compromised devices. This operation began in July and has attracted attention from cybersecurity experts due to its unique distraction tactic. The attack starts with an unsolicited connection request to a computer using AnyDesk, after which attackers deploy a binary file disguised as a Windows Update. This ruse diverts the victim's attention while data is siphoned from OneDrive accounts, network shares, and local storage. During the process, the victim's keyboard is rendered inactive, allowing uninterrupted data exfiltration that typically lasts around four hours. Mad Liberator does not encrypt data post-exfiltration but leaves ransom notes in shared network directories. There is no evidence of prior interaction or phishing attempts against the targets before the connection request. The group claims to offer assistance in fixing security vulnerabilities and recovering files in exchange for ransom. If a victim does not respond within 24 hours, their name is published on the extortion portal, and if there is no payment within seven days, stolen files are made public. Currently, nine victims are listed on their website.