DeadLock

DeadLock is a Windows ransomware family first reported in July 2025. Reporting from Group-IB and Cisco Talos describes it as a low-profile but technically notable extortion threat that combines custom ransomware tooling with legitimate administrative utilities. Its most distinctive feature is abuse of Polygon blockchain smart contracts to manage and rotate proxy/C2 infrastructure, an EtherHiding-like technique that makes infrastructure more resilient and harder to block or disrupt. Group-IB reported that DeadLock stores proxy server addresses in Polygon smart contracts, retrieves them via JavaScript in an HTML wrapper, and uses this mechanism to support victim communications through the decentralized messenger Session rather than a traditional public data leak site. Victims are directed to negotiate using a unique Session ID, and later ransom notes evolved from encryption-only demands to threats of data theft, exposure, or sale on underground markets.

DeadLock targets Windows systems; Group-IB noted the first known binary was written in C++ and compiled in July 2025. Cisco Talos reported that the ransomware uses a custom stream-cipher encryption algorithm with time-based cryptographic keys, while other reporting described custom cryptographic implementations rather than standard Windows crypto APIs. Talos assessed the encryption approach as sophisticated, capable of encrypting enterprise file types while using selective targeting and anti-forensics to avoid system corruption. Observed post-encryption artifacts include ransom notes in encrypted directories and wallpaper stating "Your infrastructure DeadLocked."

Observed tradecraft includes use of Bring Your Own Vulnerable Driver (BYOVD) techniques to disable defenses. Multiple sources state DeadLock exploited the vulnerable Baidu Antivirus driver BdApiUtil.sys, associated with CVE-2024-51324, to terminate arbitrary processes and disable EDR at kernel level. ESRC reported DeadLock used BdApiUtil.sys to disable Baidu EDR and then executed PowerShell scripts for privilege escalation and deletion of security systems, backup systems, and shadow copies. Talos likewise reported a previously unknown loader exploiting CVE-2024-51324 to kill EDR processes, followed by anti-recovery actions. Additional observed intrusion activity includes installation or whitelisting of AnyDesk for persistent remote access, enabling RDP for lateral movement, disabling Windows Defender real-time protection, stopping non-whitelisted services via PowerShell, and deleting shadow copies.

Group-IB reported DeadLock does not operate a conventional leak site and has remained relatively under the radar, though it has targeted a wide range of organizations. Infrastructure associated with its proxying and communications has included systems running Vesta, Shopware, cPanel, and WordPress; some appeared hijacked and others attacker-controlled. Researchers also observed multiple Polygon smart contracts tied to the operation, created or updated in August and November 2025, with funding linked in reporting to a wallet associated with the FixedFloat exchange.

High-confidence detections and references in the reporting include Cisco Talos Snort SIDs 65576, 65575, and 301358, and ClamAV detections Win.Tool.EDRKiller-10058432-0, Win.Tool.VulnBaiduDriver-10058431-1, Ps.Tool.DeleteShadowCopies-10058429-0, and Win.Ransomware.Deadlock-10058428-0.