Skip to content
Ransomware group

DeadLock

DeadLock is a Windows ransomware family first reported in July 2025.

Profile source: Mallory opens in a new tab

DeadLock

Family profile

DeadLock is a Windows ransomware family first reported in July 2025. It is notable for using Polygon smart contracts to manage and rotate proxy/C2 infrastructure, an approach described as similar to EtherHiding. Reporting states that DeadLock stores proxy server addresses in Polygon smart contracts and can update them via functions such as setProxy, allowing resilient infrastructure rotation and complicating blocking and analysis. Victim communications are conducted through the Session decentralized messenger; DeadLock drops a custom HTML wrapper that interfaces with Session and, in newer reporting, JavaScript in that wrapper queries Polygon RPC endpoints, retrieves proxy information, and routes encrypted messages through proxy infrastructure. DeadLock has been described as low-profile and without a traditional public data leak site, though reporting indicates its extortion evolved from encryption-only notes in June 2025 to later threats of data theft, exposure, or sale of stolen data on underground markets by August 2025.

Technically, DeadLock has been described as a C++ ransomware targeting Windows systems and using a custom, sophisticated stream-cipher/custom cryptographic implementation with time-based cryptographic keys rather than standard Windows cryptographic APIs. Cisco Talos reported that it selectively targets enterprise file types and uses anti-forensics to avoid system corruption while encrypting files. Observed tradecraft includes use of legitimate administrative tooling alongside custom malware, including PowerShell scripts to stop non-whitelisted services, delete shadow copies, and remove or impair security, backup, and recovery mechanisms. AnyDesk has been explicitly noted as whitelisted and assessed as likely used for remote access; Talos also reported RDP enablement and lateral movement in at least one intrusion.

DeadLock has also been linked to BYOVD-based defense evasion. Multiple sources state it exploited the vulnerable Baidu Antivirus driver BdApiUtil.sys (CVE-2024-51324) to disable or terminate EDR/security processes at kernel level, including Baidu EDR, using a loader/EDR-killer component prior to ransomware deployment. Subsequent activity reportedly included privilege escalation, disabling Windows Defender real-time protection, deleting shadow copies, and executing PowerShell scripts to hinder recovery. In one reported intrusion, infected systems displayed wallpaper stating "Your infrastructure DeadLocked," and ransom notes included a unique Session ID for negotiation.

Associated reporting attributes DeadLock activity to a financially motivated threat actor rather than a state actor, although its blockchain-based infrastructure technique has been compared to methods previously observed in North Korean operations. High-confidence detections and indicators mentioned in reporting include ClamAV names Win.Tool.EDRKiller-10058432-0, Win.Tool.VulnBaiduDriver-10058431-1, Ps.Tool.DeleteShadowCopies-10058429-0, and Win.Ransomware.Deadlock-10058428-0, as well as Snort SIDs 65576, 65575, and 301358.

Ransomware.live

Operational record

View group record ↗

Ransomware.live

Recent claims

All published claims ↗

Exploited software

Vulnerabilities linked to DeadLock

1 CVEs

MITRE ATT&CK

DeadLock in ATT&CK

6 distinct techniques

Reporting

Research mentioning DeadLock

Jun 1
Medium Raghavtiresearch

Agentic Threats and Immutable Infrastructure: AI-Enabled Blockchain Command and Control in the Future Threat Landscape | by BeGoodToAll | Jun, 2026 | Medium

DeadLock Ransomware: Utilizes Polygon smart contracts for “EtherHiding Proxy Rotation” to rotate C2 proxy URLs and evade EDR blocking.

May 11
Vmray

Hunting EtherHiding: Uncovering Unknown Blockchain Malware

While the use of Polygon is not new and is used by DeadLock ransomware according to Group-IB...

Feb 26
Industrialcyber

VulnCheck finds ransomware operators increasingly relying on zero-days, raising risk in OT environments - Industrial Cyber

...a Baidu Antivirus driver flaw in BdApiUtil that enabled a bring-your-own-vulnerable-driver attack to bypass endpoint detection and response, culminating in DeadLock ransomware deployment.

Jan 29
The Hacker News

ThreatsDay Bulletin: New RCEs, Darknet Busts, Kernel Bugs & 25+ More Stories

"A ransomware strain called DeadLock... observed using Polygon smart contracts for proxy server address rotation or distribution."

Jan 16
Security Online Info

DeadLock Ransomware: New Strain Hides C2 in Polygon Smart Contracts

Analysts at Group-IB have uncovered DeadLock, a ransomware strain discovered in July 2025 that distinguishes itself not by its volume of victims, but by its innovative abuse of Polygon smart contracts to manage its command-and-control (C2) infrastructure.

Jan 15
Risky Biz Rss

Risky Bulletin: DRAM price hikes set to impact firewalls too

DeadLock ransomware abuses smart contracts: Group-IB researchers have spotted the first-ever ransomware strain (named DeadLock) to abuse blockchain smart contracts for its operations.

Jan 15
Alyac

2025년 4분기 알약 랜섬웨어 행위기반 차단 건수 총 59,162건!

DeadLock 랜섬웨어는 CVE-2024-51324 취약점이 존재하는 Baidu 백신 드라이버인 BdApiUtil.sys를 공격에 활용하여 Baidu EDR을 비활성화 하고 이후 권한상승, 보안 및 백업 시스템 및 섀도우 복사본을 삭제하는 파워쉘 스크립트를 실행하기도 했습니다.

Jan 14
Register Security

DeadLock ransomware uses smart contracts to evade defenders • The Register

Researchers at Group-IB say the DeadLock ransomware operation is using blockchain-based anti-detection methods to evade defenders' attempts to analyze their tradecraft.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.