Cybersecurity analysts at Group-IB have uncovered a new ransomware strain named DeadLock that utilizes the Polygon blockchain to maintain its communication infrastructure. By weaponizing smart contracts, the malware is able to rotate proxy addresses, effectively shielding itself from traditional law enforcement takedowns.
Innovative Evasion Tactics
Initially detected in July 2024, DeadLock has maintained a relatively “low profile.” It currently lacks a public data-leak site and has targeted a limited number of victims. However, Group-IB warns that its technical sophistication should not be underestimated.
The ransomware’s core innovation lies in its use of Polygon smart contracts to store and update the addresses of its command-and-control (C2) servers. When a system is infected, the malware interacts with a specific contract on the blockchain. It uses a built-in function to retrieve the most current proxy server address, allowing the attackers to switch their infrastructure dynamically if a specific server is blocked or seized.
The “Immutable” Infrastructure
The primary advantage for the cybercriminals is the decentralized nature of the blockchain. Because the proxy directory is stored on-chain:
- No Central Point of Failure: There is no central hosting provider that authorities can shut down to kill the malware’s “phone book.”
- Permanent Data: The malicious instructions persist across thousands of global nodes indefinitely.
- Infinite Scalability: Researchers noted that this technique allows for nearly infinite variations, limited only by the attacker’s imagination.
Tracing the Roots: From EtherHiding to DeadLock
The concept of using blockchain for malware is an evolving trend. Group-IB pointed to a similar tactic known as “EtherHiding,” which was identified by Google in late 2023. That method was attributed to the North Korean state-sponsored group UNC5342, which embedded malicious JavaScript payloads directly into blockchain transactions.
DeadLock represents a shift in this evolution, moving from simple payload storage to active, automated infrastructure management through smart contract functions.
