This crafty ransomware uses an unusual social-engineering tactic to gain access to victim systems

Randomly dialing into Anydesk instances is now a thing?

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybersecurity researchers from the Sophos X-Ops Incident Response team have observed hackers deploying an unusual social engineering tactic to gain access to victim systems and steal sensitive data.

The team outlined how a newransomwareplayer called Mad Liberator emerged in mid-July 2024, mostly focused on data exfiltration (rather than system encryption), but also sometimes engaged in double extortion (encryption + data theft). It also has a data leak website where it threatens to publish the stolen data unless the victims pay up.

What sets Mad Liberator apart from other threat actors is their initial access vector. Usually, hacking groups would trick their way inside, usually with phishing email or instant messaging services. In this case, however, they seem to have “guessed” the unique Anydesk identifier.

Abusing legitimate software

Anydesk is a legitimateremote desktop applicationused by thousands of businesses worldwide. Each device where Anydesk is installed gets a unique identifier, a 10-digit number, which other endpoints can “dial” and thus gain access to. Oddly enough, the attackers one day just dialed into one of the computers belonging to the victim organization, seemingly with absolutely no prior interaction. The computer that was targeted also does not belong to any high-profile employee or manager.

The victim just assumed the IT department was doing regular maintenance so they accepted the dial-in, no questions asked.

This gave the attackers unabated access, which they used to deploy a binary that, on the surface, looks like a Windows update. They also disabled keyboard input from the victim’s side, to make sure they don’t spot the ruse by accidentally pressing the Esc button and minimizing the running program.

After a few hours, the crooks managed to pull sensitive data from the device, connected cloud services, and scanned for other connected devices they might pivot to.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Once again, “assume nothing, suspect everything” proves to be the proper mindset to remain secure in the workplace.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

A critical Palo Alto Networks bug is being hit by cyberattacks, so patch now

3 reasons why PIA fell in our best VPN rankings

I’ve covered Black Friday for eight years and these are the deals I’d buy from the early sales