LeakNet Ransomware Uses ClickFix via Hacked Sites, Deploys Deno In-Memory Loader

LeakNet, a ransomware group, has started using ClickFix, a social engineering method that uses hacked websites to get into systems This article explores leaknet ransomware. . ReliaQuest said in a technical report published today that ClickFix is a new way to get initial access.

It tricks users into running harmful commands to fix fake errors, which is different from how people usually get initial access, like through stolen credentials from initial access brokers (IABs). The second important thing about these attacks is that they use a staged command-and-control (C2) loader built on the Deno JavaScript runtime to run harmful payloads directly in memory. "The most important thing to remember is that both entry paths always lead to the same repeatable post-exploitation sequence," the cybersecurity company said.

"That gives defenders something real to work with: behaviors they can see and stop at each stage, long before ransomware is used, no matter how LeakNet got in." LeakNet first appeared in November 2024, calling itself a "digital watchdog" and saying that its main goals were to promote internet freedom and openness. "LeakNet uses S3 buckets for staging and exfiltration, taking advantage of the fact that normal cloud traffic looks like it to make it harder to find.

"Google has said that Qilin (also known as Agenda), Akira (also known as RedBike), Cl0p, Play, SafePay, INC Ransom, Lynx, RansomHub, DragonForce (also known as FireFlame and FuryStorm), and Sinobi are the top 10 ransomware brands with the most victims on their data leak sites.

Google Threat Intelligence Group (GTIG) said that in a third of the incidents, the initial access vector was confirmed or suspected exploitation of vulnerabilities, most often in common VPNs and firewalls. They also said that 77% of the analyzed ransomware intrusions included suspected data theft, up from 57% in 2024. "Even though there are still problems with actors fighting and disrupting things, ransomware actors are still very motivated, and the extortion ecosystem is still strong.

However, there are signs that the overall profitability of these operations is going down, and at least some threat actors are changing their focus from big companies to smaller ones, where they can attack more often."