Introduction to DeadLock Ransomware
A novel type of ransomware known as DeadLock has recently been flagged by cybersecurity experts at Group-IB as a significant threat leveraging Polygon smart contracts for obfuscation and concealment in its attack strategies. First detected in July 2025, this ransomware has flown under the radar due to its lack of public marketing and an associated data-leak portal, which has led to a limited number of known victims to date.
Innovative Threat Landscape
Group-IB emphasized the importance of recognizing the innovation demonstrated by DeadLock, warning that its current low profile does not diminish its potential for harm. The firm pointed out the ransomware’s unique approach to managing proxy addresses, stating:
“Using smart contracts to distribute these addresses opens a realm of possibilities for attackers; their creativity could lead to even more complex threats in the future.”
Comparative Threats
The threat landscape includes alarming parallels to a previously reported incident involving North Korean hackers utilizing a method known as “EtherHiding”. This technique, uncovered last year, involved hiding malicious payloads within the Ethereum blockchain, often through compromised sites that deploy hidden JavaScript to retrieve the harmful content imperceptibly.
Both EtherHiding and DeadLock exploit the decentralized nature of public blockchain networks, which complicates detection and remediation efforts for security providers. In the case of DeadLock, the strain employs rotating proxy servers that frequently change IP addresses, enhancing its evasion tactics against identification.
Infection and Evolution
While the specific methods through which attackers gain initial access remain unclear, Group-IB noted that DeadLock infects systems by altering file names to include the “.dlock” extension and replaces desktop backgrounds with ransom notes demanding payment. The latest iterations of the ransomware have escalated warnings to victims regarding the potential theft and sale of sensitive data if a ransom is not settled.
DeadLock appears to have evolved from its original methodology, which relied on compromised servers, to owning and managing its infrastructure. Moreover, researchers discovered JavaScript embedded in HTML files that communicates with smart contracts on the Polygon network—these contracts function as an interface for servers to interact with the Polygon blockchain.
Enhanced Communication Capabilities
The current version of DeadLock facilitates direct communication between the attacker and the victim through a specially crafted HTML wrapper for the encrypted messaging platform Session, enhancing the threat’s communication capabilities. Group-IB highlighted the necessity for organizations to take heed of such threats, especially as they demonstrate advanced methodologies that could present future risks, should they continue to evolve unchecked.
