Ddos 
Screenshot of a system infected with DeadLock ransomware
A new ransomware family is turning the decentralized dream of blockchain into a cybersecurity nightmare. Analysts at Group-IB have uncovered DeadLock, a ransomware strain discovered in July 2025 that distinguishes itself not by its volume of victims, but by its innovative abuse of Polygon smart contracts to manage its command-and-control (C2) infrastructure.
While DeadLock currently maintains a “low profile,” its tactics represent a sophisticated evolution in cybercrime, mirroring techniques used by nation-state actors.
Typically, ransomware groups rely on static servers or domain generation algorithms to maintain contact with infected machines. DeadLock, however, has gone decentralized. The group uses smart contracts on the Polygon network to store and rotate the addresses of its proxy servers.
“Group-IB specialists have discovered an interesting use of Polygon smart contracts for proxy server address rotation or distribution,” the report states.
By embedding the proxy URL directly into the blockchain via a setProxy function, the attackers create an immutable, resilient communication channel that is difficult for law enforcement to takedown. The report warns that “this finding warrants public attention, especially since the abuse of this specific blockchain for malicious purposes has not been widely reported”.
This technique echoes the “EtherHiding” methods previously observed with North Korean threat actors, suggesting that “the abuse of smart contracts for malicious purposes could become an emerging trend”.
DeadLock operates without a traditional Data Leak Site (DLS), leading to lower visibility. However, their aggression has visibly escalated over time. Early ransom notes from June 2025 focused solely on encryption. By August, the notes had evolved to include explicit threats of data theft and exposure.
“In the last observed sample… the ransom note has been significantly expanded to include veiled threats of exposure for stolen data as well as other ‘value added services’ such as an incident report,” analysts noted.
Victims are corralled into using Session, a decentralized messenger, to negotiate. The ransomware even drops a custom HTML file that acts as a “wrapper” for Session, facilitating direct, encrypted communication between the victim and the extortionist.
Technically, DeadLock relies on a mix of custom malware and legitimate administrative tools to seize control. The report highlights the use of a PowerShell script designed to ruthlessly prepare the environment for encryption.
“The main purpose of the PowerShell script is to stop services that are not whitelisted,” ensuring that security software and backup processes cannot interfere with the encryption. Notably, the legitimate remote desktop tool AnyDesk is explicitly whitelisted, suggesting it is the group’s “main remote monitoring and management tool”.
While DeadLock may not yet be a household name like LockBit or Cl0p, its methods signal a dangerous shift. “Although it’s low profile and yet low impact, it applies innovative methods that showcases an evolving skillset which might become dangerous if organizations do not take this emerging threat seriously,” Group-IB concludes.
As attackers continue to leverage Web3 technologies, the report offers a stark warning: “This exploit of smart contracts to deliver proxy addresses is an interesting method where attackers can literally apply infinite variants of this technique; imagination is the limit”.
Related Posts:
- DeadLock Ransomware Deploys BYOVD EDR Killer by Exploiting Baidu Driver for Kernel-Level Defense Bypass
- Crypto as a Weapon: Malicious npm Packages Use Ethereum Smart Contracts for C2
- ClearFake Malware Variant Exploits Web3 in New Attacks
- From CastleLoader to CastleRAT: TAG-150’s Multi-Tiered Cyber Arsenal Expands
- North Korea’s UNC5342 APT Uses EtherHiding to Store Malware in Blockchain Smart Contracts for Stealthy C2
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
