DeadLock
DeadLock is a Windows ransomware family first reported in July 2025.
Profile source: Mallory opens in a new tabDeadLock
Family profile
DeadLock is a Windows ransomware family first reported in July 2025. It is notable for using Polygon smart contracts to manage and rotate proxy/C2 infrastructure, an approach described as similar to EtherHiding. Reporting states that DeadLock stores proxy server addresses in Polygon smart contracts and can update them via functions such as setProxy, allowing resilient infrastructure rotation and complicating blocking and analysis. Victim communications are conducted through the Session decentralized messenger; DeadLock drops a custom HTML wrapper that interfaces with Session and, in newer reporting, JavaScript in that wrapper queries Polygon RPC endpoints, retrieves proxy information, and routes encrypted messages through proxy infrastructure. DeadLock has been described as low-profile and without a traditional public data leak site, though reporting indicates its extortion evolved from encryption-only notes in June 2025 to later threats of data theft, exposure, or sale of stolen data on underground markets by August 2025.
Technically, DeadLock has been described as a C++ ransomware targeting Windows systems and using a custom, sophisticated stream-cipher/custom cryptographic implementation with time-based cryptographic keys rather than standard Windows cryptographic APIs. Cisco Talos reported that it selectively targets enterprise file types and uses anti-forensics to avoid system corruption while encrypting files. Observed tradecraft includes use of legitimate administrative tooling alongside custom malware, including PowerShell scripts to stop non-whitelisted services, delete shadow copies, and remove or impair security, backup, and recovery mechanisms. AnyDesk has been explicitly noted as whitelisted and assessed as likely used for remote access; Talos also reported RDP enablement and lateral movement in at least one intrusion.
DeadLock has also been linked to BYOVD-based defense evasion. Multiple sources state it exploited the vulnerable Baidu Antivirus driver BdApiUtil.sys (CVE-2024-51324) to disable or terminate EDR/security processes at kernel level, including Baidu EDR, using a loader/EDR-killer component prior to ransomware deployment. Subsequent activity reportedly included privilege escalation, disabling Windows Defender real-time protection, deleting shadow copies, and executing PowerShell scripts to hinder recovery. In one reported intrusion, infected systems displayed wallpaper stating "Your infrastructure DeadLocked," and ransom notes included a unique Session ID for negotiation.
Associated reporting attributes DeadLock activity to a financially motivated threat actor rather than a state actor, although its blockchain-based infrastructure technique has been compared to methods previously observed in North Korean operations. High-confidence detections and indicators mentioned in reporting include ClamAV names Win.Tool.EDRKiller-10058432-0, Win.Tool.VulnBaiduDriver-10058431-1, Ps.Tool.DeleteShadowCopies-10058429-0, and Win.Ransomware.Deadlock-10058428-0, as well as Snort SIDs 65576, 65575, and 301358.
Ransomware.live
Operational record
Ransomware.live
Recent claims
Exploited software
Vulnerabilities linked to DeadLock
1 CVEsMITRE ATT&CK
DeadLock in ATT&CK
6 distinct techniquesReporting
Research mentioning DeadLock
Agentic Threats and Immutable Infrastructure: AI-Enabled Blockchain Command and Control in the Future Threat Landscape | by BeGoodToAll | Jun, 2026 | Medium
DeadLock Ransomware: Utilizes Polygon smart contracts for “EtherHiding Proxy Rotation” to rotate C2 proxy URLs and evade EDR blocking.
Hunting EtherHiding: Uncovering Unknown Blockchain Malware
While the use of Polygon is not new and is used by DeadLock ransomware according to Group-IB...
VulnCheck finds ransomware operators increasingly relying on zero-days, raising risk in OT environments - Industrial Cyber
...a Baidu Antivirus driver flaw in BdApiUtil that enabled a bring-your-own-vulnerable-driver attack to bypass endpoint detection and response, culminating in DeadLock ransomware deployment.
ThreatsDay Bulletin: New RCEs, Darknet Busts, Kernel Bugs & 25+ More Stories
"A ransomware strain called DeadLock... observed using Polygon smart contracts for proxy server address rotation or distribution."
DeadLock Ransomware: New Strain Hides C2 in Polygon Smart Contracts
Analysts at Group-IB have uncovered DeadLock, a ransomware strain discovered in July 2025 that distinguishes itself not by its volume of victims, but by its innovative abuse of Polygon smart contracts to manage its command-and-control (C2) infrastructure.
Risky Bulletin: DRAM price hikes set to impact firewalls too
DeadLock ransomware abuses smart contracts: Group-IB researchers have spotted the first-ever ransomware strain (named DeadLock) to abuse blockchain smart contracts for its operations.
2025년 4분기 알약 랜섬웨어 행위기반 차단 건수 총 59,162건!
DeadLock 랜섬웨어는 CVE-2024-51324 취약점이 존재하는 Baidu 백신 드라이버인 BdApiUtil.sys를 공격에 활용하여 Baidu EDR을 비활성화 하고 이후 권한상승, 보안 및 백업 시스템 및 섀도우 복사본을 삭제하는 파워쉘 스크립트를 실행하기도 했습니다.
DeadLock ransomware uses smart contracts to evade defenders • The Register
Researchers at Group-IB say the DeadLock ransomware operation is using blockchain-based anti-detection methods to evade defenders' attempts to analyze their tradecraft.