Cybersecurity researchers warn that the DeadLock ransomware operation has adopted blockchain-based techniques that complicate traditional defense and takedown efforts. According to findings published by Group-IB on Jan. 15, the ransomware uses publicly readable smart contracts on the Polygon network to store and rotate proxy server addresses that support communications with victims.
DeadLock first appeared in July 2025 and has maintained a relatively low profile since its discovery. The group does not operate a public data leak site and does not appear connected to established ransomware affiliate programs. Group-IB said this limited exposure reduced early visibility into the operation, despite confirmed attacks across multiple regions.
Encryption-only model limits extortion leverage
DeadLock diverges from the dominant double extortion model that many ransomware groups favor. The operation encrypts victim systems and threatens data sales on underground markets instead of publishing stolen data on a leak site.
Researchers noted that this approach weakens reputational pressure on victims. Without a dedicated data leak site, the group cannot easily demonstrate proof of compromise to the public. Security experts previously described such threats as potentially hollow, although Group-IB believes data theft likely occurred in later DeadLock campaigns.
Ransom notes collected by researchers show a clear evolution. The earliest sample detected on June 27, 2025 referenced encryption only. Later variants from July and August explicitly stated that data had been stolen and threatened resale if payment did not follow.
Smart contracts obscure command infrastructure
Group-IB researchers said the most unusual aspect of DeadLock lies in its use of Polygon smart contracts to manage command-and-control infrastructure. Instead of hardcoded servers or traditional botnet panels, DeadLock stores proxy addresses inside smart contracts that victims query after encryption.
"This exploit of smart contracts to deliver proxy addresses is an interesting method where attackers can literally apply infinite variants of this technique; imagination is the limit," said Xabier Eizaguirre, threat intelligence analyst at Group-IB, in a write-up shared with The Register.
The smart contract stores the proxy address through a function named setProxy. Victim systems retrieve the current address through a read-only eth_call operation, which creates no transaction and incurs no blockchain cost. This structure allows attackers to rotate infrastructure without redeploying malware.
Group-IB stressed that the method does not exploit vulnerabilities in Polygon itself. The ransomware abuses the public and immutable nature of blockchain data to hide configuration details.
HTML ransom notes embed encrypted messaging
In later samples, DeadLock drops an HTML file that acts as a wrapper for Session, an end-to-end encrypted decentralized messaging platform. Victims can communicate with attackers directly through the embedded interface without installing the Session application.
The HTML file includes JavaScript that queries the Polygon smart contract for the active proxy address. Communication then passes through that proxy before routing messages to a fixed Session ID controlled by DeadLock operators.
Researchers identified several internal functions within the JavaScript code, including sendProxy and sendMessage. The latter encrypts victim messages and transmits them as JSON objects. References to “snodes” and “swarms” appear within the code, terms associated with Session’s decentralized architecture.
Malware samples show evolving tradecraft
Group-IB identified at least three DeadLock ransomware versions compiled between June and August 2025. All samples used the filename svhost.exe and targeted Windows systems. Submission records traced samples to India, Spain, and Italy.
Later samples shared identical service lists in the same order, which suggested reuse of tooling. Analysts also identified a PowerShell script named stop.ps1 that appeared within DeadLock investigations. The script attempted to stop non-whitelisted services, delete volume shadow copies, and remove itself after execution.
Almost all whitelisted services belonged to Windows. AnyDesk stood out as the only third-party tool on the list. Group-IB and ThreatScene both reported AnyDesk use during DeadLock intrusions, which suggested remote control reliance.
Prior access methods remain unclear
Initial access vectors remain unknown. Group-IB said it lacked direct evidence that explains how attackers entered victim networks. Earlier reporting from Cisco Talos linked DeadLock to bring your own vulnerable driver techniques and exploitation of vulnerabilities that disable endpoint detection processes.
Talos described the ransomware’s encryption routine as efficient and custom-built, rather than dependent on standard Windows cryptographic APIs. Investigators also observed short attack timelines that spanned only several days.
Blockchain abuse reflects wider trend
Group-IB noted that DeadLock’s techniques resemble methods used by North Korean threat actors. Google Threat Intelligence Group previously described a similar approach under the name EtherHiding, where attackers store malicious data within smart contracts.
Although DeadLock remains limited in scope, researchers warned that its approach could scale. Smart contracts allow infrastructure updates that defenders cannot easily block or remove. The method also resists traditional sinkholing strategies.
DeadLock’s current victim count remains unclear. Without a public leak site or visible negotiation channels, researchers lack reliable data. For now, the operation stands as an early example of how ransomware groups adapt blockchain infrastructure for resilience rather than payment processing.
Matvii Diadkov
Disclaimer: All materials on this site are for informational purposes only. None of the material should be interpreted as investment advice. Please note that despite the nature of much of the material created and hosted on this website, HODL FM is not a financial reference resource, and the opinions of authors and other contributors are their own and should not be taken as financial advice. If you require advice. HODL FM strongly recommends contacting a qualified industry professional.
