Skip to content
Ransomware group

Mad Liberator

Mad Liberator is a ransomware and extortion threat actor that emerged in mid-2024.

Profile source: Mallory opens in a new tab

Mad Liberator

Family profile

Mad Liberator is a ransomware and extortion threat actor that emerged in mid-2024. The group has been associated with opportunistic intrusions that rely heavily on abuse of legitimate remote access software, particularly AnyDesk, to obtain interactive access to victim systems while blending into normal administrative activity. Reporting indicates that the actor has primarily emphasized data theft and coercive extortion, including operation of a leak site used to pressure victims by threatening publication of stolen information. Some reporting has also linked the group to encryption and double-extortion activity, although data exfiltration appears to be the most consistently observed element.

A notable Mad Liberator tradecraft pattern involves social engineering users into accepting unsolicited remote-support sessions by making the activity appear to be routine IT maintenance. In observed operations, the actor used AnyDesk features to transfer tools, disable local keyboard and mouse input, and exfiltrate files directly through built-in file transfer functionality. The group has also used a fake Windows update-themed decoy program to occupy the victim visually while theft activity proceeds in the background. Post-access activity has included collection of files from cloud-synced storage and mapped network shares, limited internal reconnaissance using common network scanning utilities, and deployment of ransom notes on accessible shared resources.

Mad Liberator has also been identified among ransomware actors observed exploiting or abusing remote monitoring and management tooling for access and control. The group’s operational style suggests preference for low-friction intrusion methods that exploit user trust, legitimate administration channels, and native or widely deployed remote-management capabilities rather than noisy malware-heavy initial access chains. Known aliases include mad_liberator and mad_liberator_ransomware_group.

Ransomware.live

Operational record

View group record ↗

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.