deadlock

Ransomware group profile

75Victims

80Impact score

Description

DeadLock is a financially motivated ransomware group that emerged in mid-July 2025. The group employs double extortion tactics, demanding ransom payments in cryptocurrencies while threatening to sell stolen data on underground markets. They utilize innovative techniques, such as blockchain smart contracts, to manage their command-and-control infrastructure, enhancing their evasion capabilities.

Key insights

•Utilizes innovative Polygon blockchain smart contracts to manage C2 proxy server addresses.
•Employs double extortion tactics, threatening to sell exfiltrated data instead of maintaining a public leak site.
•Initial access typically involves exploiting vulnerabilities like CVE-2024-51324 in Baidu Antivirus.
•Ransomware is written in C++ and uses a custom stream cipher with time-based cryptographic keys.
•Targets multiple sectors including Real Estate, Health Care, and Manufacturing.
•Engages in defense evasion techniques such as process hollowing and PowerShell script executions.
•Communication with victims is facilitated through Session messenger using an HTML-based interface.

Industries

Education Energy & Utilities Financial Services Government & Defense Healthcare Hospitality Manufacturing Other Professional Services Retail & E-Commerce Technology Transportation

Threat Level & Status Breakdown

For deadlock · Based on incidents in selected period

3.9threat level

Aggressiveness10/ 10

Lethality0.3/ 10

Criticality1.2/ 10

Status Breakdown

Data Leaked5.3%4

Claimed25.3%19

First seenMay 2026

Last seenJun 2026

Avg ransom—

Payment rate—

Statusactive

Sophistication0

Last updatedJun 18, 2026

Recent activity

Monthly attack count for deadlock in the selected period

75Total attacks

65peak in Jun

37.5avg / month

↑ 55 vs first month

No intelligence data for this group.

TTPs & Attack Vectors

Tools, initial access, and MITRE ATT&CK techniques for deadlock

Defense Evasion

T1562

Impair Defenses

Execution

T1059

Command and Scripting Interpreter

Impact

T1486

Data Encrypted for Impact

T1490

Inhibit System Recovery

Lateral Movement

T1021

Remote Services

T1021.001

Remote Desktop Protocol

T1080

Taint Shared Content

Other

T1311

Persistence

T1078

Valid Accounts

T1547

Boot or Logon Autostart Execution

Victims(75)

Company	Domain	Country	Industry	Status	Discovered
Notice	—	—	—	Data Leaked	3 days ago
iASK	—	HU Hungary	Education	Unknown	4 days ago
Noega and Esnova	—	ES Spain	Manufacturing	Unknown	4 days ago
IFC Eur	—	ES Spain	Manufacturing	Unknown	4 days ago
TPToys	—	GB United Kingdom	Manufacturing	Unknown	4 days ago
EXPRESOKNA SP. Z O.O.	—	PL Poland	Manufacturing	Unknown	4 days ago
Bär Cargolift Polska Sp. z o.o.	—	PL Poland	Manufacturing	Unknown	4 days ago
Grupolider \| Grupo Actual	—	AO Angola	Other	Data Leaked	4 days ago
Dyhrberg AG Switzerland	—	CH Switzerland	Other	Unknown	4 days ago
SKK Networks Sp. z o.o. and UNICARD Systems Sp. z o. o. and SKK SA	—	PL Poland	Technology	Unknown	4 days ago
PB Sprinkler Engineering Sp. z o.o. and PLISZKA Fire Protection Engineering	—	PL Poland	Manufacturing	Unknown	4 days ago
8.2 Group e.V.	—	DE Germany	Energy & Utilities	Unknown	4 days ago
Integra and Operosa	—	—	—	Data Leaked	4 days ago
JOSO	—	NO Norway	Manufacturing	Unknown	4 days ago
GEOPARTNER Sp. z o.o. and GEOPARTNER GEOMATICS Sp. z o.o.	—	PL Poland	Professional Services	Unknown	4 days ago
FIRESTA	—	CZ Czech Republic	Other	Unknown	4 days ago
UFL	—	PG Papua New Guinea	Financial Services	Unknown	4 days ago
Picassent	—	ES Spain	Government & Defense	Unknown	4 days ago
Starconn	—	TW Taiwan	Manufacturing	Unknown	4 days ago
EFCA	—	FR France	Other	Unknown	4 days ago

Page 1 of 4

Affected countries(26)

Countries where this group has been reported to target or leak victims.