DeadLock

DeadLock is a ransomware/extortion group first observed in July 2025. Reporting describes it as a relatively low-profile but evolving operation targeting a wide range of organizations. DeadLock is notable for using Polygon smart contracts to manage and rotate proxy/C2 infrastructure, including storing proxy addresses via a setProxy function; this blockchain-based technique has been compared to EtherHiding. The group uses Session for victim communications and drops a custom HTML wrapper for Session in newer variants. DeadLock does not appear to operate a traditional public data leak site; reporting states that it has threatened to sell or dump stolen data on underground markets, and ransom notes evolved from encryption-only messaging in June 2025 to data-theft/exposure threats by August 2025. Technically, DeadLock has been linked to bring-your-own-vulnerable-driver (BYOVD) tradecraft and proprietary EDR-killer tooling. ESET categorized DeadLock as a closed ransomware group that develops its own EDR killers rather than relying on affiliates, and observed the group using DLKiller, Susanoo, and anti-rootkit tools such as GMER and PC Hunter. DLKiller is described as a BYOVD loader used with DeadLock ransomware that abuses the vulnerable Baidu Antivirus driver BdApiUtil.sys via CVE-2024-51324 for kernel-level process termination; ESRC also reported DeadLock used BdApiUtil.sys to disable Baidu EDR, then executed PowerShell scripts to escalate privileges and delete security systems, backup systems, and shadow copies. ESET assessed with low confidence that DLKiller and the DeadLock encryptor may have been developed by the same author due to code similarities. Additional observed tradecraft includes use of custom malware and legitimate administrative tools, including a PowerShell script that stops non-whitelisted services to prevent security and backup software from interfering with encryption. AnyDesk is explicitly whitelisted in DeadLock tooling, and Group-IB assessed it is likely the group’s main remote monitoring and management tool. Separate reporting observed DeadLock deploying a fresh AnyDesk installation shortly before encryption, configuring it for silent startup and unattended access. In a Cisco Talos-investigated intrusion, the actor exploited CVE-2024-51324 to terminate EDR processes, installed AnyDesk for persistence, enabled RDP for lateral movement, disabled Windows Defender real-time protection, deleted shadow copies via PowerShell, and then deployed the ransomware. Talos also reported that DeadLock’s Windows ransomware is written in C++ and uses custom cryptographic implementations rather than standard Windows cryptographic APIs. Known alias in the provided content: deadlock.