There’s a dangerous new ransomware variant on the block – and cyber experts warn it’s flying under the radar
The new DeadLock ransomware family is taking off in the wild, researchers warn
Group-IB is warning of a dangerous new DeadLock ransomware family based on the abuse of Polygon smart contracts.
A smart contract is a self-executing program stored on a blockchain that automatically enforces predefined rules or agreements without intermediaries.
DeadLock works through the stealthy usage of Polygon smart contracts for proxy address storage. This, Group-IB analysts warned, is a poorly-documented and under-reported technique that they've seen increasingly being used in the wild.
There are numerous variants currently in use, which allows threat actors to bypass traditional defenses by abusing decentralized blockchains worldwide.
"This exploit of smart contracts to deliver proxy addresses is an interesting method where attackers can literally apply infinite variants of this technique; imagination is the limit," the researchers said.
DeadLock, first discovered in July 2025, is unusual in not being associated with any known affiliate programs and for lacking a data leak site. This, combined with the limited number of reported victims, means it's largely flown under the radar.
"However, Group-IB specialists have discovered an interesting use of Polygon smart contracts for proxy server address rotation or distribution," the researchers said.
"This finding warrants public attention, especially since the abuse of this specific blockchain for malicious purposes has not been widely reported."
How DeadLock operates
The initial access vector and other important stages of the attacks remain unknown, according to Group-IB, although toolset analysis reveals the use of Anydesk as a remote monitoring and management tool.
DeadLock then deletes several services on the victim’s machine, along with shadow copies to maximize impact.
The attackers set the file extension of all the encrypted files to .dlock, change file icons and take over the victim’s wallpaper, telling the victim to open the ransom note and follow the instructions. The main targets, Group-IB revealed, are in Italy, Spain, and India.
"DeadLock seems to have reactivated its operations by recently setting up a new proxy server, the researchers warn. "Although it’s low profile and yet low impact, it applies innovative methods that showcases an evolving skillset which might become dangerous if organizations do not take this emerging threat seriously."
Smart contracts are becoming an increasing target for cyber criminals, with Google warning last autumn that the North Korean threat actor UNC5342 was using a technique dubbed “EtherHiding” to deliver malware and facilitate cryptocurrency theft.
This consists of leveraging transactions on public blockchains to store and retrieve malicious payloads. According to research from Google, this is highly resilient against conventional takedown and blocklisting efforts.
Around the same time, two new pieces of open source malware were uncovered on the npm package repository by ReversingLabs researchers, exploiting smart contracts for the Ethereum blockchain to load malware on compromised devices.
FOLLOW US ON SOCIAL MEDIA
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
-
Poor workplace communication is confusing your colleagues and destroying productivityNews Engaging with colleagues via email or chat platforms wastes time and hampers team alignment
-
How the Cybersecurity and Resilience Bill could impact MSPsIndustry Insights With the Cybersecurity and Resilience Bill now in Parliament, how should MSPs prepare for heightened regulatory scrutiny?
-
Researchers called on LastPass, Dashlane, and Bitwarden to up defenses after severe flaws put 60 million users at risk – here’s how each company respondedNews Analysts at ETH Zurich called for cryptographic standard improvements after a host of password managers were found lacking
-
‘They are able to move fast now’: AI is expanding attack surfaces – and hackers are looking to reap the same rewards as enterprises with the technologyNews Potent new malware strains, faster attack times, and the rise of shadow AI are causing havoc
-
Ransomware gangs are using employee monitoring software as a springboard for cyber attacksNews Two attempted attacks aimed to exploit Net Monitor for Employees Professional and SimpleHelp
-
Ransomware gangs are sharing virtual machines to wage cyber attacks on the cheap – but it could be their undoingNews Thousands of attacker servers all had the same autogenerated Windows hostnames, according to Sophos
-
Google issues warning over ShinyHunters-branded vishing campaignsNews Related groups are stealing data through voice phishing and fake credential harvesting websites
-
Notepad++ hackers remained undetected and pushed malicious updates for six months – here’s who’s responsible, how they did it, and how to check if you’ve been affectedNews Hackers remained undetected for months and distributed malicious updates to Notepad++ users after breaching the text editor software – here's how to check if you've been affected.
-
CISA’s interim chief uploaded sensitive documents to a public version of ChatGPT – security experts explain why you should never do thatNews The incident at CISA raises yet more concerns about the rise of ‘shadow AI’ and data protection risks
-
Former Google engineer convicted of economic espionage after stealing thousands of secret AI, supercomputing documentsNews Linwei Ding told Chinese investors he could build a world-class supercomputer
