Follow
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
DeadLock ransomware has adopted Polygon smart contracts as a resilient way to publish and rotate proxy URLs used for command-and-control (C2), allowing the backend infrastructure to change quickly without relying on conventional domains. Following encryption, the actors drop an HTML “payment/communication” wrapper that steers victims to the decentralized messenger Session for further instructions and interaction. The technique resembles the EtherHiding pattern previously reported in North Korean-linked activity, using blockchain data as an indirection layer for malicious infrastructure. Notably, DeadLock appears to deprioritize traditional public leak sites and instead monetizes stolen data through underground marketplace sales.
Investigation
Group-IB analysts documented DeadLock’s smart-contract–backed approach to concealing C2 endpoints, including the post-encryption drop of an HTML file that explicitly references Session as the communication channel. The report also cites earlier Cisco Talos reporting that associated DeadLock activity with BYOVD (bring-your-own-vulnerable-driver) techniques and EDR process termination, though precise initial-access vectors were not conclusively identified. Similar “smart contract as C2 directory” tradecraft has also been discussed by Google Threat Intelligence Group in the context of North Korean campaigns, reinforcing the broader trend of leveraging public blockchains for infrastructure agility.
Mitigation
Monitor endpoints for unexpected HTML artifacts that launch or reference Session (or other decentralized messengers) after suspicious file activity. Enforce strong application allowlisting and restrict execution of unapproved tools that can facilitate remote access, payload staging, or messenger installation. On the network side, review egress for connections to proxy URLs or domains that appear to be derived from blockchain-stored pointers and treat sudden shifts in outbound destinations as a high-signal anomaly. Continuously update endpoint detections to identify BYOVD driver loading, suspicious driver installs, and behaviors consistent with EDR tampering or forced security-service termination.
Response
If DeadLock indicators are identified, isolate impacted systems immediately to prevent further encryption and lateral movement. Collect and preserve the dropped HTML wrapper, encryption notes, and any related binaries or scripts, then block outbound traffic to any observed proxy URLs and smart-contract-referenced infrastructure. Initiate formal incident response procedures, validate the integrity and availability of offline/backed-up recovery paths before remediation, and assess potential data exposure to determine extortion risk. Where appropriate, coordinate stakeholder communications and engage specialized ransomware response support while performing full scoping and eradication.
"graph TB %% Class Definitions classDef action fill:#99ccff classDef technique fill:#c2e0ff classDef tool fill:#cccccc classDef malware fill:#ffcccc classDef process fill:#e6e6e6 classDef data fill:#f0e68c classDef operator fill:#ff9900 %% Technique Nodes tech_priv_esc["<b>Technique</b> – T1068 Exploitation for Privilege Escalation<br/><b>Description</b>: Use vulnerable driver to gain elevated system privileges."] class tech_priv_esc technique tech_def_evasion["<b>Technique</b> – T1211 Exploitation for Defense Evasion<br/><b>Description</b>: Exploit driver vulnerabilities to terminate or bypass security agents."] class tech_def_evasion technique tech_impair["<b>Technique</b> – T1562 Impair Defenses<br/><b>Description</b>: Disable or tamper with security solutions to reduce detection and response capabilities."] class tech_impair technique tech_web_comm["<b>Technique</b> – T1102.002 Web Service Bidirectional Communication<br/><b>Description</b>: Drop encrypted HTML wrapper that launches the Session messenger and obtains a proxy URL from a Polygon smart contract."] class tech_web_comm technique tech_app_proto["<b>Technique</b> – T1071.001 Application Layer Protocol Web Protocols<br/><b>Description</b>: Communicate with proxy and C2 server over standard web protocols (HTTP/WebSocket) blending with legitimate traffic."] class tech_app_proto technique %% Tool Node tool_vuln_driver["<b>Tool</b> – Name: Vulnerable Driver<br/><b>Purpose</b>: Provides kernelu2011level code execution used for privilege escalation and defense evasion."] class tool_vuln_driver tool %% Malware Node malware_deadlock["<b>Malware</b> – Name: DeadLock Ransomware<br/><b>Capability</b>: Performs encryption and C2 communication after initial compromise."] class malware_deadlock malware %% Process Nodes process_html_wrapper["<b>Process</b> – Name: HTML Wrapper<br/><b>Action</b>: Decrypts and launches the Session messenger on the victim host."] class process_html_wrapper process process_session_messenger["<b>Process</b> – Name: Session Messenger<br/><b>Action</b>: Handles encrypted traffic, retrieves proxy information and talks to C2."] class process_session_messenger process process_c2_server["<b>Server</b> – C2 Server<br/><b>Protocol</b>: HTTP/WebSocket"] class process_c2_server process %% Data Node data_proxy_url["<b>Data</b> – Proxy URL<br/><b>Source</b>: Retrieved from a Polygon smart contract for rotating C2 endpoints."] class data_proxy_url data %% Connections tech_priv_esc –>|uses| tool_vuln_driver tech_def_evasion –>|uses| tool_vuln_driver tool_vuln_driver –>|enables| tech_priv_esc tool_vuln_driver –>|enables| tech_def_evasion malware_deadlock –>|drops| process_html_wrapper process_html_wrapper –>|launches| process_session_messenger process_session_messenger –>|retrieves| data_proxy_url data_proxy_url –>|provides| tech_web_comm tech_web_comm –>|communicates via| tech_app_proto process_session_messenger –>|talks to| process_c2_server tech_impair –>|targets| malware_deadlock "
Attack Flow
Detections
Suspicious Process Mimicking Svchost Was Executed (via cmdline)
View
Possible Shadow Copies Deletion via WMI (via powershell)
View
Possible Publicnode Ethereum Abuse Attempt As C2 Channel (via dns_query)
View
DeadLock Ransomware Proxy Server URL Rotation via Smart Contracts [Proxy]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands:
The threat actor, having compromised a smart‑contract‑controlled proxy service, rotates the proxy URL every few minutes to evade static blocklists. Each rotation publishes a new sub‑domain under
deadlock.example.com. The ransomware queries the proxy to retrieve the next C2 address. To emulate this, we issue a series of HTTP requests to three distinct URLs that all contain the literal string “.example.com”, mimicking the rotation pattern observed in the wild. -
Regression Test Script:
#!/usr/bin/env bash # DeadLock Proxy URL Rotation Simulation – generates telemetry that matches the Sigma rule PROXY="http://proxy.example.local:3128" URLs=( "http://stage1.example.com/deadlock" "http://stage2.example.com/deadlock" "http://stage3.example.com/deadlock" ) echo "[*] Starting proxy‑URL rotation simulation (3 requests)..." for url in "${URLs[@]}"; do echo "[+] Requesting $url via $PROXY" curl -s -x "$PROXY" "$url" -o /dev/null sleep 2 # short pause to emulate realistic interval done echo "[*] Simulation complete." -
Cleanup Commands:
#!/usr/bin/env bash # Remove any temporary files created during the simulation (none in this case) echo "[*] No artifacts to clean up. Leaving proxy configuration untouched."