Full Report
First spotted in July 2025, the DeadLock group has attacked a wide range of organizations while almost managing to stay under the radar. It abandons the usual double extortion approach in which cybercrooks steal data, encrypt systems, and threaten to post it online for all to see if the victim refuses to pay a ransom. For starters, it does not have a data leak site (DLS) where it could publicize attacks. In cases where victims refuse to pay, it cannot lean on reputational damage to push for a fee. Instead, researchers say the group threatens to sell the data on the underground market, a tactic experts have previously said could just be hot air.
Analysis Summary
# Threat Actor: DeadLock Group
## Attribution & Identity
**Identification:** DeadLock Group (Ransomware operation).
**Aliases:** None explicitly mentioned in the provided text.
**Known Associations:** Researchers noted that North Korean state-sponsored attackers have been observed using similar smart contract obfuscation techniques (dubbed "EtherHiding").
## Activity Summary
First spotted in **July 2025**. The group has attacked a wide range of organizations. They primarily focus on encryption-only attacks, diverging from the common double extortion model. If ransom demands are refused, they threaten to sell stolen data on the underground market, rather than publishing it directly on a Data Leak Site (DLS), as they do not operate one.
## Tactics, Techniques & Procedures
- **Evasion/Obfuscation via Blockchain:** Uses Polygon smart contracts to obscure Command-and-Control (C2) infrastructure. Proxy server URLs are stored within these smart contracts, allowing for frequent rotation.
- **Communication Method:** Drops an HTML file post-encryption that acts as a wrapper for the decentralized messenger **Session**. This file instructs victims to download Session to communicate with DeadLock.
- **Extortion Method:** Threats to sell data on the underground market if the ransom is unpaid (lacks a DLS).
- **Initial Access (Reported by other sources/not fully confirmed by Group-IB):** Linked to using Bring Your Own Vulnerable Driver (BYOVD) techniques and exploiting vulnerabilities to gain access.
- **MITRE ATT&CK IDs:** Not explicitly provided in the source text.
## Targeting
- **Sectors:** Attacks targeted a "wide range of organizations."
- **Geography:** Not specified in the provided text.
- **Victims:** General reference to "a wide range of organizations"; no specific victims named.
## Tools & Infrastructure
- **Malware Families:** DeadLock ransomware.
- **Infrastructure:**
- **C2 Obfuscation:** Polygon smart contracts used to hide proxy server URLs.
- **Communication:** Decentralized messenger **Session**.
## Implications
DeadLock demonstrates an innovative approach by leveraging smart contracts for C2 infrastructure hiding, making blocking efforts difficult by enabling frequent IP rotation. Their deviation from standard double extortion (lacking a DLS) means defenders cannot rely on reputational damage as the sole pressure point; the threat shifts entirely to data monetization via the black/underground market.
## Mitigations
- Deeper visibility is required into the group's initial access vectors (investigating BYOVD usage).
- Monitoring for communications routed through the **Session** messenger post-encryption.
- Monitoring for unusual interactions with **Polygon** smart contracts related to C2 infrastructure updates, if applicable to the victim environment.