The DeadLock ransomware operation has existed since mid-2025, with most of the first reported sightings in mid-July, according to ThreatScene. Their report mentioned the group “now conducts double extortion” following a subsequent analysis in September 2025, which revealed newer DeadLock payloads dropped a ransom note with an integrated web chat interface. However, almost a year later, there has been no further research on this group’s double extortion efforts. The reason for this is now clear: the newer payloads revealed the group has been embedding the data leak site into the HTML ransom note!

A recent analysis by the WatchGuard Attestation Team examined a version of DeadLock compiled at the beginning of June 2026. The analysis mimicked much of what Cisco Talos, Group-IB, and ThreatScene have already reported about this ransomware. These three reports covered almost every aspect of the early iterations of DeadLock, including how they embedded proxy addresses in Polygon smart contracts and how the authors used a custom stream cipher algorithm to encrypt files. What the early versions of DeadLock and these reports don’t contain is this newer ransom note.

Group-IB showed how early iterations of the ransom evolved over time, foreshadowing how this group would become a double extortion group. The first analyzed ransom note from a June 27, 2025, sample never mentioned data exfiltration, only encryption:

The second ransom note from July 17, 2025, added that data was also stolen in addition to being encrypted:

A third subsequent ransom note from an August 12, 2025, sample mentioned including security reports on how they got in, an increasing trend among ransomware groups. Although this statement is used as a cover to lend legitimacy, most don’t use it.

The third ransom note also had the first iteration of an included HTML ransom note, which has also evolved.

That leads us to the current sample (SHA256: 9e69862c4a5b34c12c10fbf2d345e7fd654c71adcb5f9b6524d7a54209fce343). Most behaviors matched the older samples, but the HTML ransom note differed from earlier iterations. It includes three tabs.

1. About: Like the original HTML ransom note from Group-IB’s third sample.

2. Chat: Integrated web chat with authentication

3. Blog: Duplicate of their current data leak site.

The current data leak site has 23 pages, and many entries contain multiple organizations. We’ve compiled a list of all published organizations to see whether this group targets specific sectors or countries. This is also documented on the Ransomware Tracker entry: DeadLock

Most of the published victims were in Europe, specifically Spain, Italy, Poland, and Türkiye.

There is a wide variety of industries, but most victims were Engineering Services and Manufacturing organizations.

Some of the notable inclusions on DeadLock’s alleged victim list include:

• Large conglomerate in Angola
• Finance institution in Gabon
• Government agency in Papua New Guinea
• Large electronics manufacturer in Taiwan
• International veterinary pharmaceutical company

At the very end of execution, the sample drops the traditional TXT ransom note, but this version includes a link to their actual data leak site, which is on Clearnet, not the dark web.

The first victim on their blog was on February 11, 2026. So, any sample on or after this date is assumed to have this embedded data leak site ransom note.

Aside from the behavior of the ransomware encryptor itself, little is known about DeadLock and its operational behaviors. For example, there is no known substantial research on how this group breaches networks. However, Cisco Talos’ report mentioned that they leverage BYOVD techniques to disable defensive countermeasures. ThreatScene included some data on tools they use for lateral movement, but that’s only after the initial breach. Group-IB had no telemetry on initial breach telemetry, and neither do we, unfortunately.

All IoCs, references, and artifacts can be found on the Ransomware Entry Page: DeadLock