DeadLock Ransomware Group Embeds Data Leak Site Within Ransom Note
ID: bf81e361-e94e-5d8e-bd88-27a184d69f45
STIX ID: report--bf81e361-e94e-5d8e-bd88-27a184d69f45
Feed Name: WatchGuard Secplicity Blog
The report analyzes the DeadLock ransomware group (active since mid-2025), highlighting an operational evolution to double extortion by embedding their data leak site and an integrated web chat into HTML ransom notes. The June 2026 sample examined preserves earlier capabilities (custom stream cipher, proxy addresses in Polygon smart contracts) and adds a clearnet leak site used to publish dozens of victims across Europe and other regions, primarily targeting engineering and manufacturing but including diverse high-impact organizations. Limited visibility remains around initial access, but the group demonstrates considerable operational maturity and active ongoing data exfiltration.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
