Deadlock — Ransomware Profile
DeadLock is a ransomware and double extortion operation first observed in July 2025, run as a closed group with no known affiliate program. Its encryptor appends the .dlock extension, and intrusions have featured a bring-your-own-vulnerable-driver loader abusing a Baidu Antivirus driver, PowerShell scripts that disable Windows Defender and delete backups, and AnyDesk and RDP for remote access and lateral movement. The operation retrieves proxy server addresses from Polygon blockchain smart contracts to rotate its infrastructure and directs victims to negotiate over the Session encrypted messenger. In June 2026 DeadLock launched a clearnet data leak site listing roughly 80 victims in a single batch, assessed as likely drawn from the group's own earlier campaigns; a minority of those posts repost victims previously claimed by other ransomware operations, including Akira and NightSpire, so individual leak-site claims do not always reflect original DeadLock intrusions.
Read the full analysis on IntelFusions