DeadLock Ransomware: Smart Contracts for Malicious Purposes


DeadLock is a ransomware family discovered in July 2025. It is notable for not being associated with any known affiliate programs and for lacking a Data Leak Site (DLS). This, combined with the limited number of reported victims, has resulted in low exposure for the group. However, Group-IB specialists have discovered an interesting use of Polygon smart contracts for proxy server address rotation or distribution.

This finding warrants public attention, especially since the abuse of this specific blockchain for malicious purposes has not been widely reported. In addition, the recent discovery of similar techniques show that the abuse of smart contracts for malicious purposes could become an emerging trend.

Read more…
Source: Group IB


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • CISA Releases Nineteen Industrial Control Systems Advisories

    October 12, 2023

    CISA released nineteen Industrial Control Systems (ICS) advisories on October 12, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-23-285-01 Siemens SIMATIC CP products ICSA-23-285-02 Siemens SCALANCE W1750D ICSA-23-285-03 Siemens SICAM A8000 Devices Read more… Source: U.S. Cybersecurity and Infrastructure Security Agency  

  • ToddyCat: Keep calm and check logs

    October 12, 2023

    ToddyCat is an advanced APT actor that Kaspersky researchers described in a previous publication last year. The group started its activities in December 2020 and has been responsible for multiple sets of attacks against high-profile entities in Europe and Asia. Kaspersky first publication was focused on their main tools, Ninja Trojan and Samurai Backdoor, and ...

  • India’s Bank of Baroda expose worsens: Agents steal money from accounts

    October 12, 2023

    India’s Bank of Baroda made it simple and easy for its agents to steal money from the accounts of its customers. And some of them did steal 2.2 million rupees ($27,000) from 362 customers, internal audit reports and records of the bank have revealed. The audits come after an expose by The Reporters’ Collective (TRC) and ...

  • Automatic disruption of human-operated attacks through containment of compromised user accounts

    October 11, 2023

    Based on incidents analyzed by Microsoft, it can take only a single hop from the attacker’s initial access vector to compromise domain admin-level accounts. For instance, an attacker can target an over-privileged service account configured in an outdated and vulnerable internet-facing server. Highly privileged user accounts are arguably the most important assets for attackers. Compromised domain ...

  • Stayin’ Alive – targeted attacks against telecoms and government ministries in Asia

    October 11, 2023

    In the last few months, Check Point Research has been tracking “Stayin’ Alive”, an ongoing campaign that has been active since at least 2021. The campaign operates in Asia, primarily targeting the Telecom industry, as well as government organizations. The “Stayin’ Alive” campaign consists of mostly downloaders and loaders, some of which are used as ...

  • 10 zero-day vulnerabilities in industrial cell router could lead to code execution, buffer overflows

    October 11, 2023

    Cisco Talos recently disclosed 11 vulnerabilities, 10 of which are zero-days without a patch in an industrial cellular router. Attackers could exploit these vulnerabilities in the Yifan YF325 to carry out a variety of attacks, in some cases gaining the ability to execute arbitrary shell commands on the targeted device. The one other security issue Talos ...