Full Report
New crooks on the block get crafty with blockchain to evade defenses Researchers at Group-IB say the DeadLock ransomware operation is using blockchain-based anti-detection methods to evade defenders' attempts to analyze their tradecraft.…
Analysis Summary
# Threat Actor: DeadLock Ransomware Operation
## Attribution & Identity
Researchers at Group-IB are tracking the DeadLock ransomware operation. No specific attribution beyond being a "new crook" operation is provided in this specific context.
## Activity Summary
* First spotted in July 2025.
* The group operates using an encryption-only model, abandoning the typical double extortion approach (no public Data Leak Site/DLS).
* If victims refuse to pay, DeadLock threatens to sell the stolen data on the underground market.
* They have attacked a wide range of organizations while successfully staying under the radar for a period.
## Tactics, Techniques & Procedures
- **Anti-Detection/Evasion (Novel):** Use of Polygon smart contracts to obscure Command-and-Control (C2) infrastructure.
- **Communication:** Drops an HTML file that acts as a wrapper for the decentralized messenger Session upon encryption, instructing the victim to download Session to communicate.
- **C2 Obfuscation:** Storing the proxy server URL within blockchain smart contracts, enabling frequent rotation of infrastructure addresses to hinder blocking efforts.
- **Access (Tentative/Reported):** Earlier, unconfirmed reports linked the group to utilizing Bring Your Own Vulnerable Driver (BYOVD) or exploiting vulnerabilities for initial access (details incomplete in this summary).
## Targeting
- **Sectors:** A wide range of organizations.
- **Geography:** Not specified.
- **Victims:** Not specified by name ("wide range of organizations").
## Tools & Infrastructure
- **Malware Families Used:** DeadLock Ransomware.
- **Communication Tools:** Session (decentralized messenger).
- **Infrastructure:** Proxy server URLs hidden within Polygon smart contracts.
## Implications
DeadLock represents an evolution in ransomware tradecraft by leveraging blockchain technology (specifically Polygon smart contracts) for C2 infrastructure management. This makes infrastructure takedown significantly more difficult for defenders attempting to block the threat actor. The reliance on an encryption-only/underground market threat model is an atypical deviation from mainstream ransomware groups.
## Mitigations
- Monitoring and adapting defenses against C2 infrastructure that utilizes smart contracts for indirection and rapid address rotation.
- Maintaining vigilance against the use of decentralized messengers like Session for post-infection communication.
- Investigating known access vectors such as BYOVD techniques if confirmed in related intelligence reports.