There’s a dangerous new ransomware variant on the block – and cyber experts warn it’s flying under the radar
The new DeadLock ransomware family is taking off in the wild, researchers warn
Group-IB is warning of a dangerous new DeadLock ransomware family based on the abuse of Polygon smart contracts.
A smart contract is a self-executing program stored on a blockchain that automatically enforces predefined rules or agreements without intermediaries.
DeadLock works through the stealthy usage of Polygon smart contracts for proxy address storage. This, Group-IB analysts warned, is a poorly-documented and under-reported technique that they've seen increasingly being used in the wild.
There are numerous variants currently in use, which allows threat actors to bypass traditional defenses by abusing decentralized blockchains worldwide.
"This exploit of smart contracts to deliver proxy addresses is an interesting method where attackers can literally apply infinite variants of this technique; imagination is the limit," the researchers said.
DeadLock, first discovered in July 2025, is unusual in not being associated with any known affiliate programs and for lacking a data leak site. This, combined with the limited number of reported victims, means it's largely flown under the radar.
"However, Group-IB specialists have discovered an interesting use of Polygon smart contracts for proxy server address rotation or distribution," the researchers said.
"This finding warrants public attention, especially since the abuse of this specific blockchain for malicious purposes has not been widely reported."
How DeadLock operates
The initial access vector and other important stages of the attacks remain unknown, according to Group-IB, although toolset analysis reveals the use of Anydesk as a remote monitoring and management tool.
DeadLock then deletes several services on the victim’s machine, along with shadow copies to maximize impact.
The attackers set the file extension of all the encrypted files to .dlock, change file icons and take over the victim’s wallpaper, telling the victim to open the ransom note and follow the instructions. The main targets, Group-IB revealed, are in Italy, Spain, and India.
"DeadLock seems to have reactivated its operations by recently setting up a new proxy server, the researchers warn. "Although it’s low profile and yet low impact, it applies innovative methods that showcases an evolving skillset which might become dangerous if organizations do not take this emerging threat seriously."
Smart contracts are becoming an increasing target for cyber criminals, with Google warning last autumn that the North Korean threat actor UNC5342 was using a technique dubbed “EtherHiding” to deliver malware and facilitate cryptocurrency theft.
This consists of leveraging transactions on public blockchains to store and retrieve malicious payloads. According to research from Google, this is highly resilient against conventional takedown and blocklisting efforts.
Around the same time, two new pieces of open source malware were uncovered on the npm package repository by ReversingLabs researchers, exploiting smart contracts for the Ethereum blockchain to load malware on compromised devices.
FOLLOW US ON SOCIAL MEDIA
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
-
6 key features that make Dell Pro laptops a wise business purchaseDell Pro laptops lead cross performance, portability, and connectivity
-
Nobody asked for AI PCs, but they’ve been thrust upon us – at least Dell realizes it’s probably made a mistakeOpinion The company is bringing back the iconic XPS laptop range in a move that will please consumers bombarded with AI slop
-
Supply chain and AI security in the spotlight for cyber leaders in 2026News Organizations are sharpening their focus on supply chain security and shoring up AI systems
-
Veeam patches Backup & Replication vulnerabilities, urges users to updateNews The vulnerabilities affect Veeam Backup & Replication 13.0.1.180 and all earlier version 13 builds – but not previous versions.
-
Hacker offering US engineering firm data online after alleged breachNews Data relating to Tampa Electric Company, Duke Energy Florida, and American Electric Power was allegedly stolen
-
Cybersecurity experts face 20 years in prison following ransomware campaignTwo men used their tech expertise to carry out ALPHV BlackCat ransomware attacks
-
NHS supplier DXS International confirms cyber attack – here’s what we know so farNews The NHS supplier says front-line clinical services are unaffected
-
LastPass hit with ICO fine after 2022 data breach exposed 1.6 million users – here’s how the incident unfoldedNews The impact of the LastPass breach was felt by customers as late as December 2024
-
Researchers claim Salt Typhoon masterminds learned their trade at Cisco Network AcademyNews The Salt Typhoon hacker group has targeted telecoms operators and US National Guard networks in recent years
-
Trend Micro issues warning over rise of 'vibe crime' as cyber criminals turn to agentic AI to automate attacksNews Trend Micro is warning of a boom in 'vibe crime' - the use of agentic AI to support fully-automated cyber criminal operations and accelerate attacks.
