A new ransomware variant, dubbed DEVMAN, has surfaced in the wild, targeting Windows 10 and 11 systems and exhibiting a complex blend of code reuse and novel behaviors.
Security analysts have traced its lineage to the notorious DragonForce ransomware family, itself a derivative of the Conti framework, but DEVMAN introduces unique traits that set it apart from its predecessors.
This hybrid threat underscores the evolving nature of Ransomware-as-a-Service (RaaS) operations and highlights the technical pitfalls that can arise from rapid repackaging and customization.
Technical Analysis
The DEVMAN sample first came to light when it was uploaded by a researcher known as TheRavenFile. While most antivirus engines flagged it as DragonForce or Conti, deeper inspection revealed significant modifications.
The ransomware appends a .DEVMAN extension to encrypted files and incorporates distinct strings, signaling a new actor with its own infrastructure and branding.
Despite this, much of its underlying codebase remains consistent with DragonForce, indicating that DEVMAN likely leverages a builder or toolkit originally designed for DragonForce affiliates.
One of the most notable technical quirks is DEVMAN’s mishandling of ransom notes. Due to a flaw in its builder, the ransomware frequently encrypts its own ransom note files, renaming them deterministically to e47qfsnz2trbkhnt.devman.
According to Any.Run Report, this not only complicates ransom negotiations since victims may not know whom to contact but also serves as a unique indicator of compromise (IOC).
The malware’s behavior diverges across operating systems: while it successfully changes the desktop wallpaper on Windows 10, this feature fails on Windows 11, hinting at compatibility issues or incomplete development.
Localized Impact
DEVMAN operates primarily offline, with no observed command-and-control (C2) communications aside from probing for SMB shares to facilitate lateral movement.
The ransomware employs three encryption modes full, header-only, and custom allowing it to balance speed and thoroughness depending on the scenario.
It explicitly targets local and networked files, avoiding certain extensions to maximize impact while minimizing system instability.
Persistence mechanisms are inherited from the Conti lineage, with DEVMAN interacting with the Windows Restart Manager to bypass file locks and ensure access to active session files.
It creates and quickly deletes registry entries under the HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 key, a tactic designed to evade forensic detection.
Mutexes such as hsfjuukjzloqu28oajh727190 are used to coordinate execution and prevent multiple instances from running concurrently.
Although DEVMAN is closely tied to DragonForce sharing infrastructure, code, and even ransom note templatesit has established its own Dedicated Leak Site (DLS) and claims nearly 40 victims, primarily in Asia and Africa.
Communication with the threat actor suggests that DEVMAN has diverged from DragonForce’s mainline development, reflecting the fluidity and fragmentation within the RaaS ecosystem.
The emergence of DEVMAN exemplifies the risks posed by affiliate-driven ransomware operations, where rapid iteration can introduce both operational challenges and detection opportunities.
Its technical oddities, particularly the self-encryption of ransom notes, may limit its effectiveness but also provide defenders with actionable intelligence.
Indicators of Compromise (IOC)
| Type | Value/Description |
|---|---|
| MD5 | e84270afa3030b48dc9e0c53a35c65aa |
| SHA256 | df5ab9015833023a03f92a797e20196672c1d6525501a9f9a94a45b0904c7 |
| SHA256 | 018494565257ef2b6a4e68f1c3e7573b87fc53bd5828c9c5127f31d37ea964f8 |
| FileName | hsfjuukjzloqu28oajh727190 (mutex) |
| FileName | e47qfsnz2trbkhnt.devman (encrypted ransom note) |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
