Key Findings

• A new ransomware family called DeadLock was discovered in July 2025, distinguished by its innovative abuse of Polygon smart contracts to manage its command-and-control (C2) infrastructure.

• DeadLock embeds the proxy URL directly into the blockchain via a `setProxy` function, creating an immutable and resilient communication channel that is difficult for law enforcement to take down.

• This "EtherHiding" technique echoes methods previously observed with North Korean threat actors, suggesting the abuse of smart contracts for malicious purposes could become an emerging trend.

• DeadLock operates without a traditional Data Leak Site (DLS), leading to lower visibility, but its ransom notes have evolved to include explicit threats of data theft and exposure.

• Victims are corralled into using the decentralized messenger Session to negotiate, and the ransomware even drops a custom HTML file that acts as a "wrapper" for Session.

• Technically, DeadLock relies on a mix of custom malware and legitimate administrative tools like AnyDesk to seize control and ruthlessly prepare the environment for encryption.

Background

While DeadLock may not yet be a household name like LockBit or Cl0p, its methods signal a dangerous shift in the cybercrime landscape. The report warns that "this exploit of smart contracts to deliver proxy addresses is an interesting method where attackers can literally apply infinite variants of this technique; imagination is the limit". As attackers continue to leverage Web3 technologies, the potential for increasingly sophisticated and resilient attacks is a growing concern.

DeadLock's C2 Infrastructure

DeadLock has gone "decentralized," using Polygon smart contracts to store and rotate the addresses of its proxy servers. By embedding the proxy URL directly into the blockchain, the attackers create an immutable and resilient communication channel that is difficult for law enforcement to take down. This "EtherHiding" technique echoes methods previously observed with North Korean threat actors, suggesting the abuse of smart contracts for malicious purposes could become an emerging trend.

Ransom Notes and Victim Interaction

DeadLock operates without a traditional Data Leak Site (DLS), leading to lower visibility. However, its aggression has visibly escalated over time, with ransom notes evolving to include explicit threats of data theft and exposure. Victims are corralled into using the decentralized messenger Session to negotiate, and the ransomware even drops a custom HTML file that acts as a "wrapper" for Session, facilitating direct, encrypted communication between the victim and the extortionist.

Technical Details

Technically, DeadLock relies on a mix of custom malware and legitimate administrative tools to seize control. The report highlights the use of a PowerShell script designed to ruthlessly prepare the environment for encryption, stopping services that are not whitelisted and ensuring that security software and backup processes cannot interfere. Notably, the legitimate remote desktop tool AnyDesk is explicitly whitelisted, suggesting it is the group's "main remote monitoring and management tool".

Implications and Outlook

While DeadLock may not yet be a household name, its methods signal a dangerous shift in the cybercrime landscape. The report concludes that "although it's low profile and yet low impact, it applies innovative methods that showcases an evolving skillset which might become dangerous if organizations do not take this emerging threat seriously." As attackers continue to leverage Web3 technologies, the potential for increasingly sophisticated and resilient attacks is a growing concern.

Sources

• https://securityonline.info/deadlock-ransomware-new-strain-hides-c2-in-polygon-smart-contracts/

• https://x.com/the_yellow_fall/status/2011986031491318025

• https://www.linkedin.com/posts/dlross_deadlock-ransomware-new-strain-hides-c2-activity-7417879552770609152-yFud

• https://www.todayonchain.com/news/article/01KF2CWW40ZDT65EZ3YX0WM6C6/