What Is LeakNet?

LeakNet is a ransomware operation that has been active since late 2024, encrypting, exfiltrating, and (if a ransom is not paid) leaking the data of compromised organisations.

Unlike some of the larger ransomware-as-a-service (RaaS) groups, LeakNet does not appear to run a traditional affiliate programme with a wide network of partners. Instead, it appears to be a more tightly-run operation that has historically sourced its initial access through criminal marketplaces.

So, What makes LeakNet Different?

The first thing that makes LeakNet different is how it presents itself. On its dark web leak site it purports to be "a digital watchdog operating at the intersection of cybersecurity, internet freedom, and investigative journalism," claiming to "delve into the hidden corners of the web, exposing truths and uncovering stories that are often buried by mainstream media or distorted by corporate interests." 

Which all sounds very noble, but does not disguise the truth that on their site their latest "news" is actually a list of hacked companies, with download links to the files that have been stolen.

Huh. What Else Is Notable about LeakNet?

Perhaps the most significant recent development is that LeakNet is using ClickFix attacks rather than relying upon purchased login credentials from initial access brokers (IABs) to gain access to systems.

Hang On. ClickFix Attacks?

It's a social engineering trick where users are tricked into copying and running malicious commands (often via deployment of fake CAPTCHA pages or error messages).

In such attacks, a fake prompt will often instruct a user on how to "fix" a problem themselves by following a set of steps, which can involve opening the Windows Run dialog (Win+R) or PowerShell, and pasting in a command that the page has pre-loaded to their clipboard, and hitting Enter. 

The user thinks that they are fixing a technical issue. In reality, they are executing a malicious command themselves, which means that they, not the malware, initiated the action.

Very Sneaky.

Isn't it just? For example, this month researchers at Reliaquest described how a fake Cloudflare CAPTCHA page was being used by LeakNet in just this way. 

The researchers believe that LeakNet has significantly upgraded its capabilities, and is threatening to launch more attacks and adopt new tactics.

Who Has Fallen Victim to LeakNet?

According to online reports, the LeakNet ransomware group claims to have stolen customer data from Dominican Republic financial institution Banco Vimenca, and Maurititus-based financial services provider SWAN General, amongst others.

And Do Companies Hit by LeakNet Pay the Ransom?

The truth is that we simply cannot say for certain. The LeakNet group negotiates privately, and there are no publicly confirmed instances of ransom payments being made to the group.

As ever, law enforcement agencies prefer to recommend that compromised organisations do not pay their extortionists as it helps to fuel further criminal attacks, but it must be recognised that many businesses will consider payment the "least worst" option if they are unable to recover their operations via any other route.

So, Who Is behind LeakNet? What Do We Know about Them?

The simple truth is that it has not been possible to definitively pinpoint those responsible, whether they be a specific nation state or a criminal group.

What does appear to be the case is that the group tends to target organisations due to a financial motivation rather than an apparent geopolitical agenda.

Furthermore, confirmed direct links between LeakNet and other ransomware groups have not been publicly established at this time.

What Should My company Do to Protect Itself from Ransomware Attacks Like LeakNet?

Organisations who feel they could be at risk from LeakNet and other ransomware attacks would be wise to follow Fortra's general advice for defending against ransomware attacks, which includes tips such as enforcing multi-factor authentication, running up-to-date security solutions, and keeping software patches current.

In addition, it is a good idea to follow the following steps:

• Block newly-registered domains at your perimeter (LeakNet's command-and-control servers are typically just a few weeks old)
• Make secure off-site backups
• Use hard-to-crack, unique passwords to protect sensitive data and accounts
• Encrypt sensitive data wherever possible
• Reduce the attack surface by disabling functionality that your users may not need (such as PsExec, which LeakNet uses to move laterally)
• Educate and inform staff about the risks and methods used by cybercriminals to launch attacks and steal data

Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor and do not necessarily reflect those of Fortra.