A new ransomware variant, dubbed DEVMAN, has surfaced in the cyberthreat landscape, showcasing a complex lineage tied to the notorious DragonForce family.
Built on a foundation of DragonForce and Conti codebases, DEVMAN introduces unique identifiers such as the .DEVMAN file extension and distinct behavioral traits, setting it apart while retaining core similarities with its predecessors.
This hybrid strain, recently analyzed in ANY.RUN’s secure sandbox, targets Windows 10 and 11 systems, encrypting files rapidly and attempting lateral movement via SMB shares.
A Hybrid Threat Emerges from DragonForce Codebase
However, its deployment appears experimental, with critical flaws like self-encrypting ransom notes undermining its effectiveness.
Despite being flagged by most antivirus engines as DragonForce or Conti, deeper analysis reveals DEVMAN’s separate infrastructure, including a Dedicated Leak Site (DLS) named “Devman’s Place,” claiming nearly 40 victims primarily in Asia and Africa.
DEVMAN’s behavior exhibits intriguing inconsistencies across operating systems and execution environments.
On Windows 10, the ransomware successfully alters desktop wallpapers to display ransom demands, yet it fails to do so on Windows 11 for reasons yet to be determined.
Its encryption process is notably aggressive, offering three modes full, header-only, and custom allowing attackers to prioritize speed or depth of impact.
Operational Challenges
A striking flaw in its builder logic results in the encryption of its own ransom notes, rendering them unreadable and effectively severing the communication channel for payment instructions.
This critical oversight, coupled with deterministic file renaming (e.g., ransom notes consistently renamed to “e47qfsnz2trbkhnt.devman”), suggests DEVMAN may still be in a testing phase rather than a polished production threat.
Additionally, the ransomware operates primarily offline, with no external command-and-control (C2) communication observed, relying instead on local SMB probing to spread within networks.
Its use of Windows Restart Manager to bypass file locks and hardcoded mutexes like “hsfjuukjzloqu28oajh727190” for execution coordination further ties it to Conti-derived tactics, techniques, and procedures (TTPs).
The sample also demonstrates rudimentary persistence and evasion mechanisms, such as deleting registry keys post-modification and checking for Shadow Copies to inhibit system recovery.
While not groundbreaking in sophistication, these quirks provide valuable insights into the evolving ransomware-as-a-service (RaaS) ecosystem, where affiliates customize existing frameworks like DragonForce to create spinoff variants.
DEVMAN’s emergence underscores the fragmented nature of modern ransomware development, where code reuse and misconfigurations often blur attribution lines.
According to the Report, Security teams leveraging tools like ANY.RUN’s Interactive Sandbox can gain real-time visibility into such threats, mapping behaviors, extracting indicators of compromise (IOCs), and enhancing response workflows despite the malware’s erratic execution.
Indicators of Compromise (IOCs)
| Type | Value |
|---|---|
| MD5 | e84270afa3030b48dc9e0c53a35c65aa |
| SHA256 (Sample 1) | df5ab9015833023a03f92a797e20196672c1d6525501a9f9a94a45b0904c7403 |
| SHA256 (Sample 2) | 018494565257ef2b6a4e68f1c3e7573b87fc53bd5828c9c5127f31d37ea964f8 |
| File Name (Mutex) | hsfjuukjzloqu28oajh727190 |
| File Name (Note) | e47qfsnz2trbkhnt.devman |
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates
