LeakNet Scales Ransomware Operations With ClickFix Lures and Stealthy Deno Loader

LeakNet is a ransomware group that has been quietly working on a more dangerous way to attack This article explores leaknet ransomware. . The group used to have about three victims a month, but new evidence shows that it is growing quickly and adding new tools that most security systems can't catch.

LeakNet has added two interesting new features: ClickFix, a social engineering trick, and a stealthy, memory-based loader that runs on the Deno JavaScript runtime. ClickFix isn't a brand-new way for hackers to get what they want, but LeakNet's decision to use it is a big change in how the group finds its victims. LeakNet no longer buys stolen access credentials from initial access brokers (IABs) on the black market. Instead, it puts fake verification pages on websites that have been hacked but are otherwise legitimate.

It connects to infrastructure controlled by the attacker to get a second-stage payload that is specific to the victim. It stops duplicate instances by binding to a local port, and then it goes into a loop of fetching and running more code in memory. Organizations should block newly registered domains to lower the risk of attack, since LeakNet's command-and-control servers are usually only a few weeks old.

Group Policy Objects (GPOs) should stop regular users from running Win-R commands on their workstations and only allow authorized administrators to use PsExec. Security teams should keep an eye out for jli.dll sideloading in the C:\ProgramData\USOShared directory, strange PsExec activity, and unexpected outbound connections to S3 buckets. The best way to break the chain before ransomware gets to deployment is to isolate a compromised host as soon as post-exploitation behavior is confirmed.