A new threat actor known as the DeadLock ransomware group is employing innovative blockchain smart contracts to facilitate communications during extortion negotiations with targeted organizations. This strategy leverages the versatility of blockchain to store proxy server addresses covertly, thereby enhancing the anonymity of its operations.
First identified in July 2025, DeadLock utilizes the Polygon platform—designed to complement the Ethereum blockchain—to execute these operations. The technique, dubbed “EtherHiding,” embeds malicious code within blockchain contracts, often executing tasks without leaving detectable traces. Notably, this method has attracted attention from other threat actors, including state-sponsored groups and financially motivated cybercriminals previously reported to utilize similar technologies.
According to cybersecurity research from Group-IB, DeadLock has adopted EtherHiding as part of its command-and-control infrastructure shortly after its emergence. The first known variant of its ransomware was compiled in July 2025, confirming the onset of its cybercriminal activities. This binary primarily targets Windows systems and has shown the potential for rapid evolution across different versions, with at least three iterations documented by security researchers.
The group’s approach does not feature a data leak site, opting instead for communications through the end-to-end encrypted Session messaging platform. This method complicates victim identification, making it challenging to ascertain the total number of attacks. Group-IB notes that the latest version of the ransomware incorporates an HTML wrapper for Session communications, allowing it to interact with the Polygon network seamlessly.
The smart contracts utilized by DeadLock are designed to retrieve proxy server addresses without generating blockchain transactions, mitigating costs. Within these contracts, the function sendProxy sends requests to predetermined servers, while another function, sendMessage, encrypts and forwards messages to the proxy server in JSON format, heightening the security of communications.
Through investigations, researchers observed that the endpoints communicating with these proxy servers often involve hijacked systems and maliciously hosted environments, indicating a well-designed operational infrastructure. Moreover, the necessity of funding transactions on the blockchain suggests significant financial backing for DeadLock’s operations.
Identifying Tactics and Techniques
DeadLock’s utilization of EtherHiding indicates that its operations involve skilled cybercriminals, as noted in recent reports from Cisco Talos, which characterize the group’s encryption methods as notably sophisticated. By employing custom cryptographic implementations, DeadLock has shown an ability to efficiently encrypt entire file systems, avoiding conventional detection mechanisms.
The dynamics of the group’s attack span just a few days, showcasing their expertise. In a notable case examined by Cisco Talos, the attackers exploited a vulnerability in Baidu Antivirus to gain initial access, demonstrating a method aligned with the MITRE ATT&CK framework’s initial access tactics. Subsequently, on the verge of deploying ransomware, the group utilized remote desktop software to establish persistent access, disabling defensive mechanisms to facilitate lateral movement across networks. The eventual deployment of ransomware culminated in extortion attempts, complemented by threats to leak stolen data, thereby employing a double-extortion strategy.
In conclusion, the DeadLock ransomware group exemplifies the evolving landscape of cybercrime, leveraging advanced technologies like blockchain to optimize their operations. As ransomware incidents continue to escalate, understanding these technical approaches is vital for organizational preparedness and response strategies against potential threats.
