A new ransomware variant named DEVMAN has recently emerged, targeting Windows 10 and 11 systems. This malware is a derivative of the DragonForce ransomware family, itself based on the Conti framework, but introduces unique behaviors that distinguish it from its predecessors.
Technical Analysis
DEVMAN was first identified when a sample was uploaded by a researcher known as TheRavenFile. While many antivirus engines initially flagged it as DragonForce or Conti, deeper analysis revealed significant modifications. The ransomware appends a
.DEVMAN extension to encrypted files and incorporates distinct strings, indicating a new actor with its own infrastructure and branding. Despite these changes, much of its underlying codebase remains consistent with DragonForce, suggesting that DEVMAN likely utilizes a builder or toolkit originally designed for DragonForce affiliates.A notable flaw in DEVMAN's design is its tendency to encrypt its own ransom notes, renaming them deterministically to
e47qfsnz2trbkhnt.devman. This behavior complicates ransom negotiations, as victims may not know whom to contact, and serves as a unique indicator of compromise (IOC). Additionally, the malware's behavior varies across operating systems: it successfully changes the desktop wallpaper on Windows 10, but this feature fails on Windows 11, hinting at compatibility issues or incomplete development.Localized Impact
DEVMAN operates primarily offline, with no observed command-and-control (C2) communications, aside from probing for SMB shares to facilitate lateral movement. The ransomware employs three encryption modes—full, header-only, and custom—allowing it to balance speed and thoroughness depending on the scenario. It explicitly targets local and networked files, avoiding certain extensions to maximize impact while minimizing system instability.
Persistence mechanisms are inherited from the Conti lineage, with DEVMAN interacting with the Windows Restart Manager to bypass file locks and ensure access to active session files. It creates and quickly deletes registry entries under the
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 key, a tactic designed to evade forensic detection. Mutexes such as hsfjuukjzloqu28oajh727190 are used to coordinate execution and prevent multiple instances from running concurrently.Although DEVMAN is closely tied to DragonForce—sharing infrastructure, code, and even ransom note templates—it has established its own Dedicated Leak Site (DLS) and claims nearly 40 victims, primarily in Asia and Africa. Communication with the threat actor suggests that DEVMAN has diverged from DragonForce’s mainline development, reflecting the fluidity and fragmentation within the RaaS ecosystem.
Conclusion
The emergence of DEVMAN exemplifies the risks posed by affiliate-driven ransomware operations, where rapid iteration can introduce both operational challenges and detection opportunities. Its technical oddities, particularly the self-encryption of ransom notes, may limit its effectiveness but also provide defenders with actionable intelligence.
Source: CyberSecurityNews New DEVMAN Ransomware From DragonForce Attacking Windows 10 and 11 Users
