A little known ransomware crew called Deadlock listed 65 organizations on its dark web extortion site in a single day, its largest batch on record and a sharp jump from the roughly 10 victims it named in its previous burst of activity in mid June. The listings, posted on July 10, name mostly small and mid sized businesses across Europe and Latin America, and they read as a mass shaming dump rather than a run of high profile breaches.
The important caveat first: every name on a leak site is an unverified extortion claim posted by the attackers, not a confirmed breach. Groups like Deadlock pad their pages to pressure victims into paying, and some entries turn out to be exaggerated, recycled, or simply wrong. None of the organizations listed has confirmed an incident, and IntelFusions is reporting what the gang claims, not what it has proven.
Who Deadlock is
Deadlock, which IntelFusions also tracks under the name Pounce Flux, is a financially motivated ransomware operation that runs a name and shame leak site in the now standard double extortion model: steal data, encrypt systems, then threaten to publish the stolen files unless a ransom is paid. It has kept a low profile next to bigger brands, which is exactly why a 65 victim day stands out. You can follow its activity on our Deadlock threat actor profile.
What the dump looks like
The 65 alleged victims span 29 countries. Spain and Italy lead with seven each, followed by Poland with six and Germany with four, trailing off into a long tail across the Czech Republic, Argentina, Brazil, Mexico and the United States. By sector the list skews heavily toward business services (17 entries) and manufacturing (10), with a scattering of public sector bodies, healthcare providers and energy firms. The targets are overwhelmingly the kind of small and mid sized organizations that rarely make headlines: regional manufacturers, law and accounting practices, local consultancies and municipal offices.
A few named entries stand out, among them the Automobile Club of Uruguay, a Swiss manufacturer, a Czech town administration and a US parks district. The geographic and sector sprawl, with no obvious common thread, points to opportunistic targeting, likely the fruits of bulk access buying or mass exploitation of exposed systems, all dumped at once.
Why a sudden surge matters
Big single day batches from a mid tier crew usually mean one of two things. Either the group has been sitting on a backlog of earlier intrusions and released them together for maximum effect, or it has recently gained a fresh batch of access and is racing to monetize it. Either way, a six fold jump in listings signals that Deadlock is scaling up, a pattern we have seen from other lower profile crews such as Genesis piling up small US businesses and SafePay's recent leak site surge.
What defenders should do
Smaller organizations without dedicated security teams should treat this as a prompt to check the basics these crews rely on: enforce multi factor authentication on all remote access and email, patch internet facing VPNs and gateways promptly, keep offline and tested backups, and watch for unusual outbound data transfers that tend to precede a leak. If your organization appears on a leak site, assume data theft has occurred, preserve your logs, and engage incident response and legal counsel before making any contact with the attackers.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.