There’s a dangerous new ransomware variant on the block – and cyber experts warn it’s flying under the radar
The new DeadLock ransomware family is taking off in the wild, researchers warn
Group-IB is warning of a dangerous new DeadLock ransomware family based on the abuse of Polygon smart contracts.
A smart contract is a self-executing program stored on a blockchain that automatically enforces predefined rules or agreements without intermediaries.
DeadLock works through the stealthy usage of Polygon smart contracts for proxy address storage. This, Group-IB analysts warned, is a poorly-documented and under-reported technique that they've seen increasingly being used in the wild.
There are numerous variants currently in use, which allows threat actors to bypass traditional defenses by abusing decentralized blockchains worldwide.
"This exploit of smart contracts to deliver proxy addresses is an interesting method where attackers can literally apply infinite variants of this technique; imagination is the limit," the researchers said.
DeadLock, first discovered in July 2025, is unusual in not being associated with any known affiliate programs and for lacking a data leak site. This, combined with the limited number of reported victims, means it's largely flown under the radar.
"However, Group-IB specialists have discovered an interesting use of Polygon smart contracts for proxy server address rotation or distribution," the researchers said.
"This finding warrants public attention, especially since the abuse of this specific blockchain for malicious purposes has not been widely reported."
How DeadLock operates
The initial access vector and other important stages of the attacks remain unknown, according to Group-IB, although toolset analysis reveals the use of Anydesk as a remote monitoring and management tool.
DeadLock then deletes several services on the victim’s machine, along with shadow copies to maximize impact.
The attackers set the file extension of all the encrypted files to .dlock, change file icons and take over the victim’s wallpaper, telling the victim to open the ransom note and follow the instructions. The main targets, Group-IB revealed, are in Italy, Spain, and India.
"DeadLock seems to have reactivated its operations by recently setting up a new proxy server, the researchers warn. "Although it’s low profile and yet low impact, it applies innovative methods that showcases an evolving skillset which might become dangerous if organizations do not take this emerging threat seriously."
Smart contracts are becoming an increasing target for cyber criminals, with Google warning last autumn that the North Korean threat actor UNC5342 was using a technique dubbed “EtherHiding” to deliver malware and facilitate cryptocurrency theft.
This consists of leveraging transactions on public blockchains to store and retrieve malicious payloads. According to research from Google, this is highly resilient against conventional takedown and blocklisting efforts.
Around the same time, two new pieces of open source malware were uncovered on the npm package repository by ReversingLabs researchers, exploiting smart contracts for the Ethereum blockchain to load malware on compromised devices.
FOLLOW US ON SOCIAL MEDIA
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
-
What is model collapse and why is it a risk for enterprise AI?In-depth Model collapse is a nightmare for AI companies and users, with AI models trained on AI data losing quality with each generation
-
Developers are slacking on AI-generated code checksNews While organizations are aware of the risks, many are spending little time or effort on tracking artifact versions, origins, and security attestations
-
German authorities want your help finding the hackers behind GandCrab and REvilNews Daniil Maksimovich Shchukin and Anatoly Sergeevitsch Kravchuk are believed to have made millions from ransomware as a service schemes
-
The rise of teen hackers ‘makes for a good headline’, but cyber crime activities peak later in life
News With family responsibilities and mortgages to pay, it's not teenagers dishing out malware or carrying out cyber extortion
-
Using AI to generate passwords is a terrible idea, experts warnNews Researchers have warned the use of AI-generated passwords puts users and businesses at risk
-
Researchers called on LastPass, Dashlane, and Bitwarden to up defenses after severe flaws put 60 million users at risk – here’s how each company respondedNews Analysts at ETH Zurich called for cryptographic standard improvements after a host of password managers were found lacking
-
‘They are able to move fast now’: AI is expanding attack surfaces – and hackers are looking to reap the same rewards as enterprises with the technologyNews Potent new malware strains, faster attack times, and the rise of shadow AI are causing havoc
-
Ransomware gangs are using employee monitoring software as a springboard for cyber attacksNews Two attempted attacks aimed to exploit Net Monitor for Employees Professional and SimpleHelp
-
Ransomware gangs are sharing virtual machines to wage cyber attacks on the cheap – but it could be their undoingNews Thousands of attacker servers all had the same autogenerated Windows hostnames, according to Sophos
-
Google issues warning over ShinyHunters-branded vishing campaignsNews Related groups are stealing data through voice phishing and fake credential harvesting websites
