DeadLock Ransomware: Smart Contracts for Malicious Purposes


DeadLock is a ransomware family discovered in July 2025. It is notable for not being associated with any known affiliate programs and for lacking a Data Leak Site (DLS). This, combined with the limited number of reported victims, has resulted in low exposure for the group. However, Group-IB specialists have discovered an interesting use of Polygon smart contracts for proxy server address rotation or distribution.

This finding warrants public attention, especially since the abuse of this specific blockchain for malicious purposes has not been widely reported. In addition, the recent discovery of similar techniques show that the abuse of smart contracts for malicious purposes could become an emerging trend.

Read more…
Source: Group IB


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • INTERPOL campaign warns against cyber and financial crimes

    December 3, 2024

    INTERPOL has launched a campaign to raise awareness on the growing threat of cyber and financial crimes against vulnerable individuals and organizations. The Think Twice campaign, which includes a series of short videos, focuses on five rising online threats: ransomware attacks, malware attacks, phishing, generative AI scams, and romance baiting. These sophisticated scams have seen a ...

  • Major SABS cyberattack raises questions about entity’s leadership

    December 3, 2024

    The South African Bureau of Standards (SABS) has suffered a major ransomware cyberattack, resulting in critical IT systems going down, Engineering News has learned. This is not the first time the SABS IT infrastructure has been hacked, with previous incidents reported in 2023 and again in April this year. The SABS confirmed the attack, telling Engineering ...

  • Threat Assessment: Howling Scorpius (Akira Ransomware)

    December 2, 2024

    Emerging in early 2023, the Howling Scorpius ransomware group is the entity behind the Akira ransomware-as-a-service (RaaS), which has consistently ranked in recent months among the top five most active ransomware groups. Its double extortion strategy significantly amplifies the threat it poses. Unit 42 researchers have been monitoring the Howling Scorpius ransomware group over the past ...

  • Zyxel Releases Advisory for Exploited Vulnerability CVE-2024-11667

    December 2, 2024

    Zyxel has released a security advisory addressing recent targeting of its firewall products. Attackers have been observed exploiting vulnerabilities patched in September (see Cyber Alert CC-4541) and a previously undisclosed high severity vulnerability. CVE-2024-11667 is a path traversal vulnerability and has a CVSSv3 score of 7.5. If exploited, an attacker could download or upload files via ...

  • Horns&Hooves campaign delivers NetSupport RAT and BurnsRAT

    December 2, 2024

    Recent months have seen a surge in mailings with lookalike email attachments in the form of a ZIP archive containing JScript scripts. The script files – disguised as requests and bids from potential customers or partners – bear names such as “Запрос цены и предложения от Индивидуального предпринимателя <ФИО> на август 2024. According to Kaspersky telemetry, ...

  • Retail outages drag into second week after Blue Yonder ransomware attack

    December 2, 2024

    A ransomware attack on supply chain software giant Blue Yonder continues to cause disruption to the company’s customers, almost two weeks after the outage first began. In a brief update to its cybersecurity incident page on Sunday, Arizona-based Blue Yonder said it is making “good progress” in its recovery from the attack, which hit its manage ...