There’s a dangerous new ransomware variant on the block – and cyber experts warn it’s flying under the radar
The new DeadLock ransomware family is taking off in the wild, researchers warn
Group-IB is warning of a dangerous new DeadLock ransomware family based on the abuse of Polygon smart contracts.
A smart contract is a self-executing program stored on a blockchain that automatically enforces predefined rules or agreements without intermediaries.
DeadLock works through the stealthy usage of Polygon smart contracts for proxy address storage. This, Group-IB analysts warned, is a poorly-documented and under-reported technique that they've seen increasingly being used in the wild.
There are numerous variants currently in use, which allows threat actors to bypass traditional defenses by abusing decentralized blockchains worldwide.
"This exploit of smart contracts to deliver proxy addresses is an interesting method where attackers can literally apply infinite variants of this technique; imagination is the limit," the researchers said.
DeadLock, first discovered in July 2025, is unusual in not being associated with any known affiliate programs and for lacking a data leak site. This, combined with the limited number of reported victims, means it's largely flown under the radar.
"However, Group-IB specialists have discovered an interesting use of Polygon smart contracts for proxy server address rotation or distribution," the researchers said.
"This finding warrants public attention, especially since the abuse of this specific blockchain for malicious purposes has not been widely reported."
How DeadLock operates
The initial access vector and other important stages of the attacks remain unknown, according to Group-IB, although toolset analysis reveals the use of Anydesk as a remote monitoring and management tool.
DeadLock then deletes several services on the victim’s machine, along with shadow copies to maximize impact.
The attackers set the file extension of all the encrypted files to .dlock, change file icons and take over the victim’s wallpaper, telling the victim to open the ransom note and follow the instructions. The main targets, Group-IB revealed, are in Italy, Spain, and India.
"DeadLock seems to have reactivated its operations by recently setting up a new proxy server, the researchers warn. "Although it’s low profile and yet low impact, it applies innovative methods that showcases an evolving skillset which might become dangerous if organizations do not take this emerging threat seriously."
Smart contracts are becoming an increasing target for cyber criminals, with Google warning last autumn that the North Korean threat actor UNC5342 was using a technique dubbed “EtherHiding” to deliver malware and facilitate cryptocurrency theft.
This consists of leveraging transactions on public blockchains to store and retrieve malicious payloads. According to research from Google, this is highly resilient against conventional takedown and blocklisting efforts.
Around the same time, two new pieces of open source malware were uncovered on the npm package repository by ReversingLabs researchers, exploiting smart contracts for the Ethereum blockchain to load malware on compromised devices.
FOLLOW US ON SOCIAL MEDIA
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
-
US gov makes $2bn investment in domestic quantum firmsNews The Department of Commerce says it wants to strengthen the country's presence in this critical technology sector
-
Data center industry faces ticking power time bombNews Technical and regulatory hurdles make colocation unscalable for most developers, Wood Mackenzie has warned
-
Instructure chose to a pay ransom following the Canvas cyber attack – research shows more than half of security leaders would follow suitAnalysis Opting to pay ransoms creates huge risks for enterprises – you’re relying on the word of criminals
-
Ransomware negotiator sentenced for role in major cyber crime groupNews Deniss Zolotarjovs was a key player in a group associated with Conti
-
Threat actors ditch ‘spray and pray’ attacks in shift to targeted exploitationNews A dip in ransomware volumes points to a more targeted approach focused on vulnerability exploitation
-
Security leaders overconfident about ransomware recoveryNews Few manage to recover all their data, and many experience business disruption
-
German authorities want your help finding the hackers behind GandCrab and REvilNews Daniil Maksimovich Shchukin and Anatoly Sergeevitsch Kravchuk are believed to have made millions from ransomware as a service schemes
-
The rise of teen hackers ‘makes for a good headline’, but cyber crime activities peak later in life
News With family responsibilities and mortgages to pay, it's not teenagers dishing out malware or carrying out cyber extortion
-
Using AI to generate passwords is a terrible idea, experts warnNews Researchers have warned the use of AI-generated passwords puts users and businesses at risk
-
Researchers called on LastPass, Dashlane, and Bitwarden to up defenses after severe flaws put 60 million users at risk – here’s how each company respondedNews Analysts at ETH Zurich called for cryptographic standard improvements after a host of password managers were found lacking
