"It abandons the usual double extortion approach in which cybercrooks steal data, encrypt systems, and threaten to post it online for all to see if the victim refuses to pay a ransom. For starters, it does not have a data leak site (DLS) where it could publicize attacks. In cases where victims refuse to pay, it cannot lean on reputational damage to push for a fee. Instead, researchers say the group threatens to sell the data on the underground market, a tactic experts have previously said could just be hot air."
"Its use of Polygon smart contracts to obscure its command-and-control (C2) infrastructure is an unusual move that's slowly gaining popularity. Once a victim's systems are encrypted, DeadLock drops an HTML file that acts as a wrapper for the decentralized messenger Session. This file replaces an instruction for the victim to download Session to communicate with DeadLock. By using blockchain-based smart contracts to store the group's proxy server URL - the one victims connect to before communicating with the criminals - it allows DeadLock to rotate this address frequently, making it difficult for defenders to permanently block its infrastructure."
""This exploit of smart contracts to deliver proxy addresses is an interesting method where attackers can literally apply infinite variants of this technique; imagination is the limit," said Xabier Eizaguirre, threat intelligence analyst at Group-IB, in a write-up shared with The Register."
DeadLock ransomware emerged in July 2025 and has attacked a diverse set of organizations while remaining relatively covert. The group abandons double extortion and lacks a public data leak site, instead threatening to sell stolen data on underground markets. The operation focuses on encrypting systems and delivers an HTML file that wraps the decentralized messenger Session to instruct victims. DeadLock embeds its proxy server URL in Polygon smart contracts, enabling frequent rotation of C2 addresses and complicating defenders' efforts to permanently block infrastructure. Blockchain-based anti-detection methods are increasingly used by adversaries.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]