Beware: New ‘DeadLock’ Ransomware Weaponizes Polygon Smart Contracts to Stay Invisible

Cybersecurity researchers have gotten keen on a newly found ransomware pressure known as LifelessLock that abuses Polygon good contracts to silently service its infrastructure and bypass typical detection instruments, as a latest report by menace intelligence agency Group-IB depicts.

LifelessLock, first noticed in July 2025, has thus far remained largely beneath the radar as a result of it doesn’t have a publicly going through associates program, it doesn’t have an information leak web site, and its victims have been linked to comparatively few confirmed victims.

That profile, nevertheless, covers a extra technologically refined technique that researchers consider is displaying a extra world change in the best way cybercriminals are utilizing public blockchains for prison ends.

How LifelessLock Hides Ransomware Infrastructure Inside Polygon Smart Contracts

Group-IB’s evaluation reveals that LifelessLock makes use of good contracts deployed on the Polygon community to retailer and rotate proxy server addresses.

These proxies act as intermediaries between contaminated techniques and the ransomware operators, permitting command-and-control visitors to shift endpoints with out counting on centralized infrastructure that may be seized or blocked.

By querying the smart contract, the malware retrieves the present proxy handle via a easy learn operation that leaves no apparent transactional footprint and incurs no community value.

Researchers stated this method mirrors earlier campaigns, akin to EtherHiding, disclosed final yr, during which North Korean menace actors used the Ethereum blockchain to conceal and distribute malware payloads.

In each circumstances, public and decentralized ledgers had been was resilient communication channels which might be tough for defenders to disrupt. LifelessLock’s use of Polygon extends that idea by embedding proxy administration instantly into a wise contract, permitting attackers to replace infrastructure on demand.

Once deployed, LifelessLock encrypts information and appends a “.dlock” extension, alters system icons, and replaces the sufferer’s wallpaper with ransom directions.

Over time, the group’s ransom notes have developed, with early samples referencing solely file encryption, whereas later variations explicitly said that delicate information had been stolen and threatened its sale if cost was not made.

The most up-to-date ransom notes additionally promise “added companies,” together with a breakdown of how the community was breached and assurances that the sufferer won’t be focused once more.

This Ransomware Doesn’t Just Lock Files — It Opens a Chat With Hackers

Group-IB recognized at the least three distinct LifelessLock samples from mid-2025, every displaying incremental adjustments in ways.

Analysis of related PowerShell scripts suggests the malware aggressively disables non-essential companies, deletes quantity shadow copies to forestall restoration, and whitelists a restricted set of processes, notably together with AnyDesk

Investigators consider AnyDesk is used as the first distant entry software throughout assaults, a discovering according to separate digital forensics investigations.

A key aspect of LifelessLock’s operation is an HTML file dropped on contaminated techniques that embeds an encrypted session messenger interface. Victims can talk instantly with attackers via this file with out putting in further software program.

The embedded JavaScript retrieves proxy addresses from the Polygon smart contract, then routes encrypted messages via these servers to a session ID managed by the ransomware operators.

Transaction evaluation reveals that the identical pockets created a number of similar good contracts and repeatedly up to date proxy addresses by calling a operate labeled “setProxy.”

The pockets was funded via an exchange-linked handle shortly earlier than the contracts had been deployed, indicating deliberate preparation.

Historical monitoring of those transactions permits defenders to reconstruct previous proxy infrastructure, though the decentralized design complicates speedy takedown efforts.

The discovering is a part of an total enhance in crypto-related cybercrime, as over $3.4 billion was stolen by hacks and exploits as of early December 2025, with state-linked North Korean teams accounting for over $2 billion of that whole.

The submit Beware: New ‘DeadLock’ Ransomware Weaponizes Polygon Smart Contracts to Stay Invisible appeared first on Cryptonews.