DeadLock Ransomware Uses Smart Contracts to Evade Defenders

A new ransomware operation called DeadLock has emerged with a novel approach to evading detection: using blockchain smart contracts to conceal its command-and-control infrastructure. First identified in July 2025, the group has already attacked multiple organizations while maintaining a low profile through technical innovation that security researchers find concerning.

How the Smart Contract Evasion Works

DeadLock's technique exploits the immutable and decentralized nature of blockchain technology. When the ransomware encrypts a victim's systems, it drops an HTML file that serves as a wrapper for the decentralized messaging application Session. This file replaces what would normally be instructions for victims to download Session to communicate with the attackers.

The critical innovation is that DeadLock stores its proxy server URL—the address victims must connect to before communicating with the criminals—within a Polygon smart contract. This approach provides several advantages for the attackers:

• Rapid address rotation: The group can change the proxy address frequently by deploying new smart contracts or updating existing ones
• Decentralized hosting: No single server or domain can be permanently blocked by defenders
• Persistence: Once deployed, smart contracts cannot be taken down by law enforcement or hosting providers
• Attribution difficulty: Blockchain transactions add layers of complexity to tracking the operators

Xabier Eizaguirre, threat intelligence analyst at Group-IB, explained the significance: "This exploit of smart contracts to deliver proxy addresses is an interesting method where attackers can literally apply infinite variants of this technique; imagination is the limit."

Not Your Typical Ransomware Operation

DeadLock breaks from several established ransomware patterns. Unlike most modern operations that employ double extortion—stealing data, encrypting systems, and threatening to publish stolen information if victims refuse to pay—DeadLock operates without a data leak site (DLS). This means victims who decline to pay cannot be publicly shamed, and the group loses leverage.

Instead, researchers say DeadLock threatens to sell stolen data on underground markets. Security experts remain skeptical about whether this threat is credible, suggesting it may be "hot air" designed to pressure victims. However, the absence of a public leak site makes the group's operations harder to track and publicize.

Connections to Broader Trends

DeadLock's smart contract technique isn't entirely unprecedented. Group-IB's Eizaguirre noted that analysts have observed North Korean state-sponsored attackers using similar methods. In October, Google Threat Intelligence Group (GTIG) reported that North Korean attackers had been using techniques they dubbed "EtherHiding" since February 2025, hiding malware inside smart contracts.

GTIG threat hunters described this evolution as representing "a new kind of bulletproof hosting." Traditional bulletproof hosting services provide criminals with resilient infrastructure that law enforcement struggles to shut down. Blockchain-based infrastructure adds another layer of protection through decentralization.

What Security Teams Know (And Don't Know)

Despite the attention-grabbing smart contract technique, much about DeadLock remains unknown. Group-IB acknowledges that details about how the group typically gains initial access to victim networks have not yet been documented.

Earlier reports from Cisco Talos, however, provide some clues. The security firm linked DeadLock to:

• Bring Your Own Vulnerable Driver (BYOVD) techniques: Attackers exploit legitimate but vulnerable drivers to bypass security controls
• Exploitation of vulnerabilities to kill EDR processes: Targeting endpoint detection and response tools to operate undetected

These techniques suggest DeadLock operators possess sophisticated technical knowledge, even if their infrastructure approach is novel.

Implications for Defense

DeadLock's emergence highlights how ransomware groups continue evolving their tactics. Traditional defensive measures like domain blocking and IP blacklisting become less effective when attackers can rapidly rotate infrastructure through blockchain transactions.

Security teams must adapt by:

• Monitoring blockchain transactions for suspicious smart contract deployments
• Implementing behavioral detection rather than signature-based blocking
• Focusing on initial access prevention since post-encryption communication channels are harder to disrupt
• Developing blockchain intelligence capabilities to track attacker infrastructure

The technique also raises questions about whether other ransomware groups will adopt similar methods. If smart contract-based infrastructure proves successful, it could become a broader trend, further complicating ransomware defense and attribution efforts.

Regulatory and Legal Considerations

While DeadLock's technique is technically innovative, it doesn't change the fundamental legal landscape. Ransomware attacks remain illegal under multiple jurisdictions, and blockchain transactions, while pseudonymous, are not truly anonymous. Law enforcement and blockchain analysis firms have increasingly sophisticated tools for tracking cryptocurrency flows and identifying criminal operators.

However, the decentralized nature of smart contracts does complicate traditional takedown operations. Unlike centralized servers that can be seized, smart contracts deployed on public blockchains persist indefinitely unless the attackers themselves choose to remove them.

The emergence of this technique may also accelerate regulatory scrutiny of blockchain infrastructure. Governments and financial regulators are already grappling with cryptocurrency regulation, and ransomware groups exploiting these systems could lead to additional compliance requirements or technical restrictions on smart contract deployment.

For now, DeadLock represents a case study in how criminal organizations continue to innovate, finding new ways to exploit emerging technologies for malicious purposes. Security researchers are racing to understand the full scope of the group's capabilities before it can establish a more significant foothold in the ransomware ecosystem.