A new ransomware variant named DEVMAN has surfaced, targeting Windows 10 and 11 systems. This malware is a derivative of the DragonForce ransomware family, itself an offshoot of the Conti framework, but introduces unique characteristics that distinguish it from its predecessors.
Technical Analysis
The DEVMAN ransomware was first identified when a sample was uploaded by a researcher known as TheRavenFile. While many antivirus engines initially flagged it as DragonForce or Conti, a deeper examination revealed significant modifications. Notably, DEVMAN appends a .DEVMAN extension to encrypted files and incorporates distinct strings, indicating the involvement of a new actor with its own infrastructure and branding. Despite these changes, much of its underlying codebase remains consistent with DragonForce, suggesting that DEVMAN likely utilizes a builder or toolkit originally designed for DragonForce affiliates.
A critical flaw in DEVMAN’s design is its mishandling of ransom notes. Due to a defect in its builder, the ransomware frequently encrypts its own ransom note files, renaming them deterministically to e47qfsnz2trbkhnt.devman. This not only complicates ransom negotiations, as victims may not know whom to contact, but also serves as a unique indicator of compromise (IOC). Additionally, the malware’s behavior varies across operating systems: while it successfully changes the desktop wallpaper on Windows 10, this feature fails on Windows 11, hinting at compatibility issues or incomplete development.
Localized Impact
DEVMAN operates primarily offline, with no observed command-and-control (C2) communications aside from probing for SMB shares to facilitate lateral movement. The ransomware employs three encryption modes—full, header-only, and custom—allowing it to balance speed and thoroughness depending on the scenario. It explicitly targets local and networked files, avoiding certain extensions to maximize impact while minimizing system instability.
Persistence mechanisms are inherited from the Conti lineage, with DEVMAN interacting with the Windows Restart Manager to bypass file locks and ensure access to active session files. It creates and quickly deletes registry entries under the HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 key, a tactic designed to evade forensic detection. Mutexes such as hsfjuukjzloqu28oajh727190 are used to coordinate execution and prevent multiple instances from running concurrently.
Although DEVMAN is closely tied to DragonForce—sharing infrastructure, code, and even ransom note templates—it has established its own Dedicated Leak Site (DLS) and claims nearly 40 victims, primarily in Asia and Africa. Communication with the threat actor suggests that DEVMAN has diverged from DragonForce’s mainline development, reflecting the fluidity and fragmentation within the Ransomware-as-a-Service (RaaS) ecosystem.
The emergence of DEVMAN exemplifies the risks posed by affiliate-driven ransomware operations, where rapid iteration can introduce both operational challenges and detection opportunities. Its technical oddities, particularly the self-encryption of ransom notes, may limit its effectiveness but also provide defenders with actionable intelligence.
