The Emergence of the DeadLock Ransomware

First identified in July 2025, DeadLock is a newly discovered ransomware variant that has remained largely under the radar due to its lack of public affiliate programs and the absence of a known data leak site. Despite its low exposure so far, DeadLock represents a serious threat because it combines traditional file encryption with innovative infrastructure techniques. Once a system is compromised, DeadLock encrypts victim data and appends the ransomware file extension “.dlock” to affected files, rendering them inaccessible without the attackers’ decryption key.

Information on “DeadLock Ransomware”

Use of Polygon Smart Contracts

What makes DeadLock particularly noteworthy is its abuse of the Polygon blockchain. Instead of relying on static command-and-control servers, DeadLock interacts with Polygon smart contracts to dynamically store and rotate proxy server addresses. These smart contracts are queried directly by JavaScript code embedded in the ransomware’s dropped HTML files, allowing the operators to update infrastructure without maintaining a centralized server that defenders could easily take down.

Because blockchain data is distributed and persistent, this technique significantly complicates takedown efforts and represents an emerging trend in ransomware operations. Similar approaches, such as Ethereum-based “EtherHiding,” have previously been attributed to state-linked threat actors, highlighting how decentralized technologies are increasingly weaponized for malicious purposes.

Additional Information

• DeadLock encrypts a broad range of file types, including documents, databases, images, videos, and other business-critical data.
• Encrypted files receive the “.dlock” extension, and file icons and desktop wallpaper are modified to alert victims of the attack.
• Although DeadLock does not operate a public data leak site, later variants explicitly threaten to sell stolen data if ransom demands are not met, indicating a shift toward double extortion.
• The ransomware leverages a PowerShell script to stop non-whitelisted services, delete Volume Shadow Copies, and hinder recovery efforts.
• AnyDesk has been observed as a key remote access tool in DeadLock-related incidents, suggesting hands-on activity by the threat actors.
• DeadLock uses the decentralized Session messenger for victim communication, embedded directly into an HTML ransom note to simplify contact.

Conclusion

DeadLock Ransomware may currently appear low profile, but its use of Polygon smart contracts for proxy rotation demonstrates a sophisticated and forward-looking threat model. By removing traditional infrastructure dependencies, DeadLock increases its resilience against disruption and signals a broader shift in ransomware tradecraft. Organizations should not underestimate this threat and must prioritize proactive defense, detection, and recovery planning.

As experts in ransomware response and recovery, we offer comprehensive Ransomware Recovery Services, professional Ransomware Negotiation Services, and a proactive Incident Response Retainer to help organizations respond quickly and minimize impact. Contact us to protect your data and regain control after a ransomware incident.

Last updated on: January 19, 2026