-640x358.jpg&w=1200&q=75)
Cybersecurity firm Group-IB has identified a ransomware strain called DeadLock that abuses Polygon smart contracts to rotate proxy addresses and avoid takedowns.
Researchers said DeadLock has maintained a low profile since its discovery in July, with limited victims and no links to known leak sites or affiliate networks.
Despite its low exposure, Group-IB warned the ransomware uses innovative techniques that pose serious risks to organisations.
DeadLock embeds code that interacts with a Polygon smart contract to dynamically update command-and-control proxy infrastructure.
By storing proxy server addresses on-chain, the ransomware avoids reliance on centralised servers that can be easily shut down.
Once systems are encrypted, victims receive ransom demands alongside threats to sell stolen data if payment is not made.
Group-IB said blockchain-based infrastructure is extremely difficult to disrupt because data persists across decentralised nodes globally.
“This exploit of smart contracts to deliver proxy addresses is an interesting method where attackers can literally apply infinite variants of this technique; imagination is the limit,”
Group-IB said.
The firm noted similar tactics have been used before, including a method known as EtherHiding reported by Google.
EtherHiding was linked to a North Korean threat actor that used public blockchains to store and retrieve malicious payloads.
At the time of reporting, Polygon price was $0.1477.