LeakNet, a ransomware group, has evolved its intrusion tactics by expanding initial access vectors and enhancing payload delivery mechanisms. Previously dependent on initial access brokers, LeakNet now runs its own campaigns, increasing operational control and scale. The group uses ClickFix lures hosted on compromised websites to socially engineer victims into initiating infection. A key technical advancement is the deployment of a Deno-based in-memory loader that executes base64-encoded payloads directly in memory, bypassing disk-based detection and complicating traditional signature-based defenses. Post-compromise, LeakNet employs jli.dll side-loading, a technique where a legitimate Windows utility is tricked into loading a malicious DLL, facilitating stealthy code execution. For lateral movement, the group leverages PsExec, a legitimate Windows tool, to propagate within networks. Payloads are staged on Amazon S3 buckets, enabling flexible and resilient command and control infrastructure. The campaign’s indicators include a set of suspicious IP addresses and domains associated with the infrastructure. The combination of social engineering, in-memory execution, side-loading, and legitimate tool abuse reflects a sophisticated and evasive ransomware operation. Defenders are challenged by the stealthy nature of the Deno loader and the use of legitimate administrative tools, necessitating a focus on behavioral detection and strict access controls.

Organizations worldwide face increased risk of ransomware infection that can lead to data encryption, operational disruption, and potential data exfiltration. The use of in-memory execution and side-loading techniques reduces the likelihood of detection by traditional antivirus and endpoint detection systems, increasing dwell time and potential damage. Lateral movement via PsExec allows attackers to spread rapidly across networks, potentially compromising multiple systems and critical infrastructure. Staging payloads on cloud storage like S3 buckets enhances the attackers’ resilience and complicates takedown efforts. The shift from initial access brokers to self-run campaigns indicates LeakNet’s growing capabilities and potential for more frequent and widespread attacks. Industries with high-value data or critical operations, such as healthcare, finance, and manufacturing, are particularly vulnerable. The campaign’s reliance on social engineering and compromised websites means organizations with less mature security awareness programs and web defenses are at greater risk. Overall, the threat can cause significant financial loss, reputational damage, and operational downtime.

1. Implement advanced behavioral monitoring to detect anomalous in-memory execution and side-loading activities, focusing on processes like jli.dll and Deno runtime usage. 2. Block or closely monitor access to newly registered domains and suspicious IP addresses linked to the campaign. 3. Restrict and audit the use of PsExec and other administrative tools, limiting execution to authorized administrators only. 4. Disable or tightly control Windows Remote Management (Win-R) access to reduce lateral movement opportunities. 5. Employ network segmentation to contain potential lateral movement within internal networks. 6. Harden web infrastructure to prevent compromise and monitor for unauthorized changes or malicious lures like ClickFix. 7. Use endpoint detection and response (EDR) solutions capable of detecting in-memory payload execution and DLL side-loading techniques. 8. Conduct regular user awareness training emphasizing the risks of social engineering and suspicious links. 9. Monitor cloud storage access patterns, especially for S3 buckets, to detect unusual payload staging or data exfiltration activities. 10. Maintain up-to-date backups and test recovery procedures to mitigate ransomware impact.