Intelligence Briefing Date: 2026-07-10
Source: Ransomware.live Dark Web Leak Site Monitor
Threat Actor Profile — DEADLOCK
DEADLOCK is a highly active Ransomware-as-a-Service (RaaS) operation that has aggressively scaled its operations in 2026. Operating on a dual-extortion model, the gang encrypts victim systems and threatens to leak sensitive data if ransoms are not paid.
- Affiliation Model: RaaS with suspected affiliate ties to former Conti/HelloKitty elements due to code overlap in encryptors.
- Ransom Demands: Typically ranging from $500k to $5M, heavily weighted based on annual revenue.
- Initial Access: Heavily reliant on exploiting external-facing perimeter vulnerabilities (VPN/Firewall) and compromised Remote Management and Monitoring (RMM) tools.
- Dwell Time: Short. Intelligence suggests an average dwell time of 3–5 days between initial access and encryption detonation, prioritizing speed over stealth in recent campaigns.
Current Campaign Analysis
Sectors Targeted
DEADLOCK’s latest postings indicate a pivot towards Critical Infrastructure and Essential Services. The July 10th dump hits:
- Manufacturing: 4 victims (WH Müller, Quetzal Química, Güven Mühendislik, Catcorp)
- Public Sector/Healthcare: 2 victims (The Morton Grove Park District, DOCTUS USA Inc)
- Construction: 1 victim (Weinberg ''93 Építő Kft.)
Geographic Concentration
While US entities remain a primary target (Morton Grove, Schlenker and Cantwell, DOCTUS), there is a distinct diversification into LATAM and Europe:
- Hotspots: Argentina (3 victims), Mexico (2 victims), Hungary, Germany, Turkey, Uruguay, India, Canada.
Victim Profile
The victims range from mid-sized municipal entities (Park Districts) to specialized manufacturing firms. The inclusion of "3Gi Solutions" (MSP) in Canada suggests a supply-chain attack, potentially leveraging the MSP to pivot downstream into their clients.
CVE Connections & Initial Access Vectors
The campaign correlates directly with the exploitation of recently disclosed CISA KEV vulnerabilities:
- CVE-2026-50751 (Check Point Security Gateway): Victims with Check Point perimeters should assume credential dumping or authentication bypass.
- CVE-2024-1708 (ConnectWise ScreenConnect): Frequently used by DEADLOCK affiliates for RMM tool abuse to gain remote code execution.
- CVE-2026-20131 (Cisco Secure Firewall): Potential bypass of firewall management controls, facilitating lateral movement.
Detection Engineering
SIGMA Rules
---
title: Potential Check Point Gateway IKEv1 Exploitation CVE-2026-50751
id: 88a1b2c3-d4e5-4f6g-7h8i-9j0k1l2m3n4o
status: experimental
description: Detects potential exploitation of improper authentication in IKEv1 key exchange leading to VPN gateway compromise.
author: Security Arsenal Research
date: 2026/07/10
logsource:
product: firewall
service: vpn
detection:
selection:
dst_port: 500
protocol: 'udp'
action: 'accept'
filter_legit:
src_ip|cidr:
- '192.168.0.0/16'
- '10.0.0.0/8'
condition: selection and not filter_legit
falsepositives:
- Legitimate remote office VPN connections
level: critical
---
title: ConnectWise ScreenConnect Suspicious URI Pattern
id: 99b2c3d4-e5f6-5g7h-8i9j-0k1l2m3n4o5p
status: experimental
description: Detects path traversal attempts associated with CVE-2024-1708 on ConnectWise ScreenConnect servers.
author: Security Arsenal Research
date: 2026/07/10
logsource:
category: web
detection:
selection:
c-uri|contains:
- '/bin/'
- '..%2f'
- 'SetupWizard.aspx'
cs-method: 'POST'
condition: selection
falsepositives:
- Uncommon but legitimate administrative setup
level: high
---
title: DEADLOCK Ransomware Pre-Encryption Staging
id: 00c3d4e5-f6g7-6h8i-9j0k-1l2m3n4o5p6q
status: experimental
description: Detects suspicious process execution patterns typical of DEADLOCK prep (PowerShell + vssadmin + Cobalt Strike beacons).
author: Security Arsenal Research
date: 2026/07/10
logsource:
category: process_creation
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- '\cmd.exe'
CommandLine|contains:
- 'vssadmin delete shadows'
- 'wbadmin delete catalog'
- 'bypass'
condition: selection
falsepositives:
- Legitimate system administration scripts
level: critical
KQL (Microsoft Sentinel)
Hunt for lateral movement and data staging associated with this group's known toolset.
DeviceProcessEvents
| where Timestamp > ago(3d)
| where ProcessCommandLine has_any("vssadmin", "wbadmin", "ShadowCopyDelete") or InitiatingProcessFileName =~ "powershell.exe"
| extend EncodingType = coalesce(
iff(ProcessCommandLine matches regex @"[A-Za-z0-9+/]{50,}={0,2}", "Base64", "None"),
"None")
| where EncodingType == "Base64"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, FolderPath, InitiatingProcessFileName
| sort by Timestamp desc
Rapid Response Hardening Script
Check for suspicious scheduled tasks added in the last 7 days, a common persistence mechanism for DEADLOCK.
# DEADLOCK Persistence Hunt: Scheduled Tasks
$DateThreshold = (Get-Date).AddDays(-7)
$SuspiciousTasks = Get-ScheduledTask | Where-Object {
$_.Date -gt $DateThreshold -and
($_.Author -notlike "*Microsoft*" -and $_.Author -notlike "*System*")
}
if ($SuspiciousTasks) {
Write-Host "[ALERT] Found tasks modified/created after $DateThreshold:" -ForegroundColor Red
$SuspiciousTasks | Format-Table TaskName, Date, Author, Actions -AutoSize
} else {
Write-Host "No suspicious non-Microsoft tasks found in the last 7 days." -ForegroundColor Green
}
# Check for Disabled Shadow Copy Storage (Common Prep)
$vssStatus = vssadmin list shadows
if ($vssStatus -match "No shadows found") {
Write-Host "[CRITICAL] No Volume Shadow Copies found. Possible deletion event." -ForegroundColor Red
}
Incident Response Priorities
-
T-minus Detection Checklist:
- Check VPN logs (Check Point/Cisco) for anomalous successful IKEv1 handshakes from unknown foreign IPs.
- Audit ScreenConnect/Web Console logs for the
SetupWizard.aspxpath traversal string. - Hunt for
powershell.exespawningvssadmin.exeto delete shadow copies.
-
Critical Assets at Risk:
- DEADLOCK historically prioritizes PII/PHI databases (Healthcare target: DOCTUS) and CAD/Engineering blueprints (Construction target: Weinberg). Focus containment efforts on file servers housing these data types.
-
Containment Actions:
- Immediate: Disable internet-facing RDP and VPN access for all non-admin accounts. Force-reset MFA tokens for accounts with VPN access.
- Secondary: Isolate the ConnectWise ScreenConnect server from the network if present, as it is likely the C2 channel.
Hardening Recommendations
-
Immediate (24h):
- Patch CVE-2026-50751 (Check Point) and CVE-2024-1708 (ScreenConnect) immediately.
- Implement strict Geo-IP blocking on VPN concentrators (Block non-operational countries; DEADLOCK is hitting HU, AR, MX, TR).
-
Short-term (2 weeks):
- Network Segmentation: Move manufacturing OT networks and SCADA systems off the flat corporate network to prevent spread from IT endpoints.
- MFA Enforcement: Enforce phishing-resistant MFA (FIDO2) for all remote access solutions and cloud management consoles.
Related Resources
Security Arsenal Incident Response
Managed SOC & MDR Services
AlertMonitor Threat Detection
From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.