A sophisticated new ransomware variant identified as DEVMAN has emerged from the DragonForce ransomware-as-a-service ecosystem, targeting both Windows 10 and Windows 11 systems with notable behavioral differences between operating system versions.
This hybrid malware represents a concerning evolution in the ransomware landscape, combining the established DragonForce codebase with unique modifications that create distinct operational signatures.
The DEVMAN ransomware operates as a lightly customized DragonForce variant, utilizing the distinctive .DEVMAN file extension for encrypted data while maintaining core infrastructure elements from its parent family.
What sets this strain apart is its experimental nature and several unusual behaviors that suggest it may be an affiliate testing ground rather than a production-ready deployment.
The malware demonstrates sophisticated targeting capabilities, with over 40 claimed victims primarily concentrated in Asia and Africa, though incidents have been reported across Latin America and Europe.
Any.Run researchers identified the malware through comprehensive sandbox analysis, revealing its complex inheritance from the Conti ransomware framework that forms DragonForce’s foundation.
The analysis uncovered a critical design flaw where the ransomware encrypts its own ransom notes, effectively sabotaging its own payment mechanism.
This behavior, combined with deterministic file renaming patterns, suggests the involvement of an immature builder or development process that hasn’t been thoroughly tested in production environments.
The malware’s attack methodology involves rapid file encryption with three distinct modes: full encryption for comprehensive data corruption, header-only encryption for speed optimization, and custom encryption for targeted scenarios.
Network analysis reveals minimal command-and-control communication, with most malicious activity occurring offline except for SMB reconnaissance attempts targeting administrative shares within local network ranges.
Windows Restart Manager Exploitation and Persistence Mechanisms
The DEVMAN ransomware employs sophisticated persistence tactics through exploitation of the Windows Restart Manager API, creating temporary registry sessions under the key path HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000.
This technique allows the malware to bypass file locks and ensure encrypted access to active user session files, including critical system components like NTUSER.DAT and associated log files.
The malware creates a hardcoded mutex named hsfjuukjzloqu28oajh727190 to prevent multiple instances from executing simultaneously, following standard practices inherited from the Conti lineage.
Registry entries are systematically created and deleted within milliseconds, likely attempting to minimize forensic traces while maintaining the necessary system access for encryption operations.
This evasion strategy proves particularly effective against traditional security solutions that may not monitor rapid registry modifications or correlate them with file system changes occurring simultaneously across multiple system locations.
The DEVMAN ransomware represents a concerning development in the ransomware ecosystem, demonstrating how established criminal infrastructure enables rapid variant creation.
While its current implementation contains critical flaws that limit operational effectiveness, the underlying technical sophistication suggests continued evolution toward more refined deployment capabilities targeting enterprise environments across multiple Windows platforms.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now
