DeadLock Ransomware: Smart Contracts for Malicious Purposes


DeadLock is a ransomware family discovered in July 2025. It is notable for not being associated with any known affiliate programs and for lacking a Data Leak Site (DLS). This, combined with the limited number of reported victims, has resulted in low exposure for the group. However, Group-IB specialists have discovered an interesting use of Polygon smart contracts for proxy server address rotation or distribution.

This finding warrants public attention, especially since the abuse of this specific blockchain for malicious purposes has not been widely reported. In addition, the recent discovery of similar techniques show that the abuse of smart contracts for malicious purposes could become an emerging trend.

Read more…
Source: Group IB


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • BERT Ransomware Group Targets Asia and Europe on Multiple Platforms

    July 7, 2025

    In April, a new ransomware group known as BERT, has been observed targeting organizations across Asia and Europe. TrendResearch telemetry has confirmed the emergence and activity of this ransomware. This blog entry examines BERT’s tools and tactics across multiple variants. By comparing its different iterations, we unpack how the ransomware group operates, how their methods have ...

  • NordDragonScan: Quiet Data-Harvester on Windows

    July 7, 2025

    FortiGuard Labs recently uncovered an active delivery site that hosts a weaponized HTA script and silently drops the infostealer “NordDragonScan” into victims’ environments. Once installed, NordDragonScan examines the host and copies documents, harvests entire Chrome and Firefox profiles, and takes screenshots. The package is then sent over TLS to its command-and-control server, “kpuszkiev.com,” which also serves ...

  • Several major Linux distros hit by serious Sudo security flaws

    July 7, 2025

    Two vulnerabilities were recently spotted in various Linux distributions which, when chained together, allow local attackers to escalate their privileges and thus run arbitrary files. The vulnerabilities are tracked as CVE-2025-32462 (severity score 2.8/10 – low severity), and CVE-2025-32463 (severity score 9.3/10 critical), and were found in the Sudo command-line utility for Linux and other Unix-like ...

  • Ingram Micro says ongoing outage caused by ransomware attack

    July 7, 2025

    Ingram Micro, a U.S. technology distributing giant and managed services provider, said on Monday a ransomware attack is the cause of an ongoing outage at the company. The hack began on Thursday, after which the company’s website and much of its network went down. Late on Saturday, the company said in a brief statement that it ...

  • Australia’s Qantas says cyber criminal contacts one week after data breach

    July 7, 2025

    A cyber criminal has made contact with Australia’s Qantas following a data breach last week that exposed personal information of six million customers, a company spokesperson told Reuters on Tuesday. The hacker had targeted a call centre and gained access to a third-party customer service platform containing the customers’ names, email addresses, phone numbers, birth dates ...

  • Louis Vuitton Korea says systems breach led to customer data leak

    July 4, 2025

    A systems breach at Louis Vuitton Korea in June led to the leak of some of customer data including contact information, but did not involve customers’ financial information, the luxury brand’s South Korea unit said on Friday. “We regret to inform that an unauthorized third party temporarily accessed our system resulting in the leak of some ...