DeadLock Ransomware Using Polygon Smart Contracts to Evade Detection
DeadLock is a new ransomware strain that uses Polygon blockchain smart contracts to rotate proxy server addresses, enabling attackers to bypass traditional defenses and making takedown efforts more difficult. First identified in July 2025 by Group-IB, DeadLock remains low-profile, infecting a small number of victims and lacking a public affiliate program or data-leak site. The malware encrypts files with a “.dlock” extension, replaces desktop backgrounds with ransom notes, and newer variants warn victims of potential data leaks if the ransom is not paid. DeadLock’s central innovation is using decentralized blockchain infrastructure to deliver continually changing proxy addresses via JavaScript embedded in infected files. This method is similar to the “EtherHiding” technique previously used by North Korean hackers, which leverages blockchain networks to distribute malware payloads covertly. The group behind DeadLock is believed to operate its own infrastructure now, increasing operational resilience. The malware also enables direct victim-attacker communication through a specially crafted HTML file that acts as a wrapper for encrypted messaging. Initial access vectors remain unknown, but the evolving tactics demonstrate advancing hacker sophistication.
