DeadLock ransomware uses blockchain for evasion

The DeadLock ransomware operation is employing blockchain-based anti-detection methods to evade security analysis, as reported by The Register.

First observed in July 2025, DeadLock targets a variety of organizations, deviating from typical double extortion tactics. Instead of using a data leak site, the group threatens to sell stolen data on the dark web. Most notably, DeadLock utilizes Polygon smart contracts to obfuscate its command-and-control infrastructure. After encrypting a victim's system, it drops an HTML file that acts as a wrapper for the decentralized messenger Session. The victim is instructed to download Session to communicate with the attackers. By storing proxy server URLs within blockchain smart contracts, DeadLock can frequently rotate these addresses, making it difficult for defenders to block their infrastructure.

This innovative use of smart contracts for C2 infrastructure concealment represents a significant evolution in ransomware tactics. While DeadLock's initial access methods remain largely unknown, the trend of attackers leveraging blockchain technology for evasion, also observed in North Korean state-sponsored attacks, highlights a growing challenge for cybersecurity professionals.

Source: The Register