DeadLock Ransomware Abuses Polygon Smart Contracts
🔒 Group-IB researchers report that the DeadLock ransomware is using Polygon smart contracts to store and rotate proxy server addresses, enabling more resilient command-and-control. Rather than rely on hard-coded servers, the malware performs read-only calls to blockchain contracts to fetch proxy URLs and uses fallback RPC endpoints to avoid transactions and fees. An HTML component communicates via the Session encrypted messaging platform, while operators also employ AnyDesk and PowerShell to escalate impact; victims' files are suffixed .dlock and ransom notes threaten data sale.
