Back to Intelligence

DEADLOCK Ransomware: Global Surge In Business Services & Public Sector Targets

SA
Security Arsenal Team
July 15, 2026
6 min read

Aliases & Affiliation: DEADLOCK is a relatively new but highly active ransomware operation believed to operate on a RaaS (Ransomware-as-a-Service) model with affiliates skilled in exploiting edge devices. While no direct rebrand from a major previous group has been confirmed, their TTPs show overlaps with post-Conti and LockBit affiliate clusters.

Ransom Model: They operate a strict "double-extortion" model. Data is exfiltrated prior to encryption, and victims are given a short window (typically 48-72 hours) to negotiate before data is published on their .onion portal. Ransom demands vary significantly based on victim revenue, typically ranging from $500k to $5m.

Initial Access & TTPs:

  • Primary Vectors: DEADLOCK affiliates aggressively exploit known vulnerabilities in external-facing perimeter appliances, specifically Remote Monitoring and Management (RMM) tools (ScreenConnect) and VPN/Firewall appliances (Check Point, Cisco).
  • Lateral Movement: Upon establishing a foothold, they utilize Cobalt Strike beacons for C2, moving laterally via PsExec and WMI.
  • Dwell Time: Analysis of recent victims suggests an average dwell time of 3–5 days between initial access and detonation, though in cases involving vulnerable RMM tools, this can drop to under 24 hours.

Current Campaign Analysis

Sector Targeting: The latest batch of 14 victims (posted 2026-07-10 to 2026-07-12) indicates a pivot toward high-volume, lower-resilience targets:

  • Business Services (21%): Including Schlenker and Cantwell, P.A. (US) and Aldaco Avance 2022 S.L. (ES).
  • Public Sector (7%): The Morton Grove Park District (US) represents a concerning expansion into government-adjacent entities.
  • Manufacturing & Construction: Significant hits on WH Müller (DE) and Weinberg '93 Építő Kft. (HU).

Geographic Spread: DEADLOCK is executing a truly global campaign. The recent victim list spans 8 countries:

  • Americas: US, AR (Argentina), MX (Mexico), UY (Uruguay)
  • Europe: ES (Spain), HU (Hungary), DE (Germany), IT (Italy)

Victim Profile: The targets are generally mid-market entities ($50M - $500M revenue). These organizations often lack the 24/7 SOC coverage required to detect the rapid exploitation of edge vulnerabilities like CVE-2024-1708.

CVE Correlation: The timing of victim postings correlates strongly with the exploitation of:

  • CVE-2024-1708 (ConnectWise ScreenConnect): Allows for immediate RCE. This is likely the primary vector for the rapid targeting of the Business Services and Technology sectors.
  • CVE-2026-50751 (Check Point Security Gateway): Likely used to bypass perimeter defenses in the Manufacturing and Public Sector victims.

Detection Engineering

Sigma Rules (DEADLOCK & Affiliate Indicators)

YAML
title: Potential DEADLOCK Ransomware Activity - ConnectWise ScreenConnect Exploitation
id: d6b3f8d0-1c2a-4f7d-9e0a-1b2c3d4e5f6a
description: Detects potential exploitation of CVE-2024-1708 involving suspicious paths or process spawning from ScreenConnect services.
status: experimental
date: 2026/07/16
author: Security Arsenal Research
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|contains: 'ScreenConnect'
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
    condition: selection
falsepositives:
    - Legitimate administrator usage
level: high
---
title: DEADLOCK Affiliate - Volume Shadow Copy Deletion
id: a1b2c3d4-e5f6-7890-abcd-ef1234567890
description: Detects commands used to delete Volume Shadow Copies, a common step prior to DEADLOCK encryption.
status: experimental
date: 2026/07/16
author: Security Arsenal Research
logsource:
    category: process_creation
    product: windows
detection:
    selection_vssadmin:
        Image|endswith: '\vssadmin.exe'
        CommandLine|contains: 'delete shadows'
    selection_wmic:
        Image|endswith: '\wmic.exe'
        CommandLine|contains: 'shadowcopy delete'
    condition: 1 of selection_
falsepositives:
    - System administration scripts
level: critical
---
title: DEADLOCK - Rclone Data Exfil Tool Execution
id: b2c3d4e5-f6a7-8901-bcde-f23456789012
description: Detects execution of rclone, a tool frequently used by DEADLOCK affiliates for large-scale data exfiltration.
status: experimental
date: 2026/07/16
author: Security Arsenal Research
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\rclone.exe'
        CommandLine|contains:
            - 'copy'
            - 'sync'
            - 'megacopy'
    condition: selection
falsepositives:
    - Legitimate backup utilities using rclone
level: high


**KQL (Microsoft Sentinel) - Pre-Encryption Staging Hunt**

kql
// Hunt for rapid file modifications and potential staging
// indicative of ransomware preparation
DeviceFileEvents
| where Timestamp >= ago(7d)
| where InitiatingProcessAccountName != "System" 
| where FolderPath contains "\AppData\Local\Temp" 
or FolderPath contains "C:\Windows\Temp"
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType
| where ActionType in ("FileCreated", "FileModified")
| summarize FileCount = count(), DistinctFiles = dcount(FileName) by DeviceName, InitiatingProcessFileName, bin(Timestamp, 5m)
| where FileCount > 10
| order by FileCount desc


**PowerShell - Hardening & Detection Script**

powershell
# DEADLOCK Rapid Response Hardening Script
# Checks for exposed RDP, recent scheduled tasks (persistence), and VSS health.

Write-Host "[+] Starting DEADLOCK Hardening Check..." -ForegroundColor Cyan

# 1. Check for Recent Scheduled Tasks (Persistence)
Write-Host "\n[*] Checking for Scheduled Tasks created in the last 7 days..." -ForegroundColor Yellow
$DateCutoff = (Get-Date).AddDays(-7)
Get-ScheduledTask | Where-Object {$_.Date -gt $DateCutoff} | Select-Object TaskName, TaskPath, Date, Author

# 2. Check for RDP Exposure (Firewall)
Write-Host "\n[*] Checking RDP Firewall Rules..." -ForegroundColor Yellow
$RdpRules = Get-NetFirewallRule | Where-Object {$_.DisplayName -like "*Remote Desktop*" -and $_.Enabled -eq 'True'}
if ($RdpRules) {
    Write-Host "[!] WARNING: RDP Firewall Rules are Active:" -ForegroundColor Red
    $RdpRules | Select-Object DisplayName, Enabled, Direction | Format-Table
} else {
    Write-Host "[+] No active RDP firewall rules found." -ForegroundColor Green
}

# 3. Check Shadow Copy Storage (Resilience)
Write-Host "\n[*] Checking Volume Shadow Copy Storage..." -ForegroundColor Yellow
try {
    $vss = gwmi -Class Win32_ShadowCopy
    if ($vss) {
        Write-Host "[+] Found $($vss.Count) Shadow Copies."
        $vss | Select-Object InstallDate, VolumeName, DeviceObject | Format-Table
    } else {
        Write-Host "[!] CRITICAL: No Shadow Copies found. System is vulnerable to data loss." -ForegroundColor Red
    }
} catch {
    Write-Host "Error checking VSS: $_" -ForegroundColor Red
}

Write-Host "\n[+] Check complete." -ForegroundColor Cyan


---

# Incident Response Priorities

1.  **T-Minus Detection Checklist:**
    *   Immediately review logs for successful authentication to **ConnectWise ScreenConnect** instances originating from unusual IPs or followed by immediate PowerShell execution.
    *   Hunt for **Check Point VPN** logs indicating successful IKEv1 handshake with invalid or mismatched peer IDs (CVE-2026-50751).
    *   Monitor for spikes in outbound traffic on non-standard ports (potential exfil via rclone).

2.  **Critical Assets for Exfil:**
    Based on victimology, DEADLOCK prioritizes:
    *   **PII/PHI** (Healthcare victims like DOCTUS USA).
    *   **Financial Records & Client Databases** (Business Services/Legal).
    *   **Proprietary Schematics & Blueprints** (Construction/Manufacturing).

3.  **Containment Actions:**
    *   **Isolate:** Disconnect internet-facing VPN and RMM interfaces immediately if compromise is suspected.
    *   **Disable:** Turn off local admin accounts and enforce "Smart Card Required" for domain admins if possible.
    *   **Preserve:** Snapshot memory of servers hosting ConnectWise or VPN appliances before rebooting to capture exploitation artifacts.

---

# Hardening Recommendations

**Immediate (24 Hours):**
*   **Patch CVE-2024-1708:** Apply the latest hotfixes to all ConnectWise ScreenConnect instances immediately. If patching is impossible, restrict access to trusted IPs via firewall.
*   **Patch CVE-2026-50751:** Update Check Point Security Gateways to the latest version to fix the IKEv1 authentication bypass.
*   **Audit RMM:** Review all active sessions in RMM tools; enforce MFA for all technicians.

**Short-term (2 Weeks):**
*   **Network Segmentation:** Move RMM and VPN management interfaces to a dedicated management VLAN, strictly separated from user data and production servers.
*   **Implement CASB:** Deploy Cloud Access Security Broker rules to detect and block large-scale data transfers to personal cloud storage (Mega, MediaFire) often used by DEADLOCK.

---

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangdeadlockransomwareconnectwisecve-2024-1708business-servicespublic-sector

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.