Lede
A recently discovered ransomware strain known as “DeadLock” has been identified as stealthily exploiting Polygon smart contracts. First detected in July, this specific malware represents a sophisticated evolution in cyberattack strategies by integrating blockchain technology directly into its operational flow. Although the ransomware has maintained what researchers describe as “low exposure” and is not currently associated with known data leak sites or widespread affiliate programs, its technical execution is highly innovative. The core of the DeadLock operation involves the use of Polygon smart contracts to store and rotate proxy server addresses. These addresses are critical for the malware to maintain communication with victims after an initial infection has occurred. By embedding specialized code within the ransomware payload, the attackers can interact with a specific smart contract address on the Polygon network. This setup utilizes a function to dynamically update the command-and-control infrastructure, allowing the threat actors to bypass traditional security filters that rely on static IP addresses or centralized domain names. Because the system relies on a decentralized network, it provides a layer of stealth that makes it difficult for traditional antivirus and network monitoring tools to detect and block the communication between the infected host and the attacker’s control systems. The discovery of this malware serves as a warning that even low-profile threats can utilize advanced methods to remain effective and dangerous to organizations that do not prioritize comprehensive security measures against blockchain-based exploits.
Context
The practice of weaponizing smart contracts for the dissemination and management of malware is an emerging trend, but it is not entirely without precedent. Researchers have noted that the tactic used by DeadLock shares similarities with a method called “EtherHiding,” which was first reported by Google in October. EtherHiding involves the embedding of malicious code, often in the form of JavaScript payloads, directly into a smart contract residing on a public blockchain. This technique was famously utilized by a North Korean threat actor designated as “UNC5342,” who leveraged transactions on public blockchains to store and later retrieve malicious payloads for their operations. This approach effectively turns a public blockchain into a decentralized and highly resilient command-and-control (C2) server. By shifting the infrastructure from private servers to a public ledger, hackers have found a new way to hide malware and its associated control data within the vast number of legitimate transactions occurring on networks like Ethereum and Polygon. This method of hiding in plain sight allows malicious actors to maintain their infrastructure with a high degree of permanence. Unlike traditional web hosting, which can be taken down by service providers or law enforcement, blockchain data is replicated across thousands of nodes worldwide. This ensures that the malicious payloads and proxy rotation instructions remain available as long as the blockchain itself is operational, providing a level of reliability for cybercriminals that was previously difficult to achieve through conventional means.
Impact
The impact of the DeadLock ransomware becomes apparent once a system is compromised and the encryption process is completed. Following the encryption of a victim’s files, the ransomware delivers a ransom note that contains threats regarding the selling of stolen data if the attackers’ demands are not met. The integration of Polygon smart contracts into this process significantly amplifies the danger posed by the malware. By storing proxy addresses on-chain, the developers of DeadLock have created an infrastructure that is extremely difficult to disrupt. In a standard ransomware scenario, the takedown of a central server can often cripple the attackers’ ability to manage their victims or provide decryption keys. However, because DeadLock uses a decentralized network, there is no central server to take down. The blockchain data used by the ransomware persists indefinitely across distributed nodes around the globe. This level of resilience means that even if parts of the network are targeted, the core command-and-control instructions remain accessible to the malware. For organizations, the risk is compounded by the fact that the methods used are innovative and not yet widely reported or understood by all security teams. Failure to take this malware seriously could lead to devastating consequences, as the persistent nature of the blockchain-based infrastructure allows the threat actors to maintain long-term control over the communication channels used to extort victims and coordinate the distribution of stolen information.
Outlook
Looking forward, the emergence of DeadLock suggests that the use of smart contracts for malicious purposes is likely to continue evolving. As hackers find new ways to hide malware and its supporting infrastructure within decentralized networks, the complexity of defending against such threats will increase. Cybersecurity experts point out that the exploit of smart contracts to deliver proxy addresses is a versatile method, allowing attackers to apply an almost infinite number of variations to the technique. The only real limit to how these blockchain features can be abused is the imagination of the threat actors themselves. The persistent and global nature of blockchain nodes ensures that once a malicious contract is deployed, it remains a permanent fixture of the network, ready to be called upon by malware variants at any time. This creates a challenging outlook for the industry, as traditional methods of blacklisting domains and IP addresses are rendered less effective against rotating on-chain data. Organizations must adapt by developing more sophisticated monitoring tools that can identify and analyze suspicious interactions with smart contracts. The trend of using blockchains as resilient command-and-control servers, as seen with both DeadLock and the earlier EtherHiding tactics, indicates that the intersection of cryptocurrency technology and cybercrime will remain a critical area of concern for the foreseeable future. Staying ahead of these innovative methods will require a deeper understanding of how public ledgers can be manipulated by sophisticated actors like those seen in North Korean groups and other independent ransomware operators.
About the Author
