In a concerning development for cybersecurity professionals and business owners everywhere, a new strain of ransomware is quietly evolving its tactics in a way that undermines traditional defenses. According to a recent article from Decrypt, the DeadLock ransomware family is now abusing Polygon blockchain smart contracts to evade detection and takedown efforts.
This shift represents a scary trend in ransomware innovation that should serve as a wakeup call for business leaders who still rely on conventional endpoint detection and response systems.
Ransomware Reinvents Its Infrastructure Using Blockchain
DeadLock was first identified in July 2025, but it remained largely under the radar because it did not exhibit the characteristics that often draw public attention. It lacked a public leak site and had no visible affiliate program—two classic features that security analysts monitor to gauge ransomware activity.
What makes DeadLock particularly worrying is how it manages its command and control (C2) infrastructure. Instead of relying on fixed servers or centralized infrastructure, DeadLock embeds JavaScript code within infected systems that queries a smart contract on the Polygon (MATIC) blockchain to retrieve lists of proxy server addresses. These proxy servers are used to relay communications between infected machines and the attackers.
Storing proxy rotation data on the blockchain gives attackers a level of resilience that traditional ransomware groups have never achieved before. Because the data is on a decentralized ledger, defenders cannot easily block or seize it—there is no central server to take down. Proxy addresses can be rotated at will by updating the smart contract, leaving defenders playing whack-a-mole trying to keep up.
Analysts have compared DeadLock’s technique to Google’s previously reported “EtherHiding” campaign, in which nation-state actors abused Ethereum smart contracts to conceal malware payloads and evade detection.
Real Impact on Victims
Once DeadLock infects a system, it encrypts files and appends a “.dlock” extension. It also replaces the victim’s desktop wallpaper with a ransom note demanding payment and often threatening to sell sensitive data if the ransom is not paid.
Interestingly, newer versions of DeadLock include an HTML file that wraps around decentralized communication software—permitting direct contact between the victim and the attackers via platforms like Session. This is a direct attempt to sidestep typical incident response procedures and put victims in a position where they must engage directly with extortionists.
Security researchers have identified at least three variants of DeadLock so far, each demonstrating how adaptable and resilient this ransomware family has become.
Why Traditional Security Tools Can Fail
The DeadLock ransomware story highlights the limitations of conventional endpoint detection and response (EDR) tools. These platforms often rely on signatures, heuristics, and threat intelligence to detect malicious behavior. But when a threat actor embeds its control infrastructure into a decentralized ledger, static detection methods struggle to keep pace.
Even advanced EDRs may fail to spot activity that uses legitimate blockchain infrastructure for malicious purposes. Because the malware doesn’t generate typical network traffic to known bad servers and because the smart contract technique yields no obvious network anomalies, traditional tools may not even raise an alert until after encryption has occurred.
This is emblematic of a broader trend: attackers are increasingly using creative methods to slip past detection mechanisms long before responders can react. As these tactics evolve, so too must our approach to defense.
From Detect and Respond to Isolation and Containment
Detecting threats after they have already infiltrated your network is no longer enough. DeadLock’s use of blockchain smart contracts to hide C2 infrastructures shows that attackers can slip past many detection layers without being noticed until it is too late. This leaves organizations scrambling to contain damage rather than preventing it in the first place.
This is where AppGuard shines.
AppGuard provides a fundamentally different approach to endpoint protection. Instead of waiting to detect malicious behavior, AppGuard focuses on isolation and containment. It prevents unknown or sophisticated threats from executing harmful actions on endpoints in the first place, blocking ransomware and other advanced threats before they can encrypt files or establish communication with attackers.
With a proven track record of success spanning over ten years, AppGuard offers business owners a way to proactively defend their environments. Unlike traditional solutions, AppGuard does not rely on signatures or threat intelligence that can be bypassed. Instead, it enforces strict access controls that stop malware behaviors at their source.
Your Next Step Toward True Protection
The DeadLock ransomware case makes one thing clear: relying solely on Detect and Respond strategies leaves your business vulnerable to emerging threats that evade traditional defenses. Businesses need to move toward a security model that emphasizes Isolation and Containment, stopping threats before they cause damage.
At CHIPS, we help organizations evaluate and deploy powerful solutions like AppGuard to strengthen their cybersecurity posture. If you are a business owner concerned about ransomware, advanced malware, and stealthy threats like DeadLock, now is the time to act.
Contact us at CHIPS to learn how AppGuard can protect your organization and help you stay ahead of evolving ransomware threats.
Call to Action:
Talk with us at CHIPS about how AppGuard can prevent incidents like this one by enabling Isolation and Containment rather than relying on outdated Detect and Respond approaches.
Like this article? Please share it with others!