DEVMAN Ransomware: Analysis of New DragonForce Variant
A new ransomware strain resembling DragonForce but with unique traits has emerged, possibly connected to an entity called DEVMAN. The sample reuses DragonForce code but adds its own elements, including the .DEVMAN file extension. Attribution is unclear, as the ransom note is identical to DragonForce's. The malware operates offline, probes for SMB connections, and uses three encryption modes. It exhibits different behaviors on Windows 10 and 11, particularly in changing wallpapers. The ransomware encrypts its own ransom notes, likely due to a builder flaw. DEVMAN claims to have stopped using DragonForce months ago, suggesting this may be an experimental or outdated build.
AI Analysis
Technical Summary
The DEVMAN ransomware is a newly identified strain that appears to be a variant of the DragonForce ransomware family, with unique modifications attributed to an entity known as DEVMAN. This malware reuses significant portions of DragonForce's codebase but introduces distinct features, including the use of a .DEVMAN file extension for encrypted files. The ransomware operates primarily in an offline mode and actively probes for SMB (Server Message Block) connections to potentially propagate or identify network shares. It employs three different encryption modes, enhancing its ability to encrypt victim data effectively. Notably, the ransomware exhibits different behaviors depending on the Windows version it infects, specifically Windows 10 versus Windows 11, with differences observed in how it changes the desktop wallpaper as part of its attack footprint. An unusual characteristic of this variant is that it encrypts its own ransom notes, likely due to a flaw in the ransomware builder, which may hinder victims' ability to read the ransom demands. Attribution remains unclear because the ransom note is identical to that used by DragonForce, and DEVMAN claims to have ceased using DragonForce ransomware months prior, suggesting this sample might be experimental or outdated. The malware is tagged with multiple MITRE ATT&CK techniques such as T1053.005 (Scheduled Task/Job), T1204.002 (User Execution: Malicious File), T1135 (Network Share Discovery), T1005 (Data from Local System), T1021.002 (SMB/Windows Admin Shares), T1070 (Indicator Removal on Host), T1027 (Obfuscated Files or Information), T1486 (Data Encrypted for Impact), and T1490 (Inhibit System Recovery), indicating a comprehensive attack lifecycle involving persistence, lateral movement, data encryption, and anti-forensic measures. There are no known exploits in the wild for this variant yet, and no CVE identifiers have been assigned. The severity is rated medium, reflecting the current understanding of its capabilities and impact.
Potential Impact
For European organizations, the DEVMAN ransomware poses a significant threat to data confidentiality and availability. Its ability to encrypt files with multiple encryption modes and target SMB shares suggests potential for rapid lateral movement within corporate networks, especially in environments with poorly segmented networks or exposed SMB services. The encryption of ransom notes could complicate incident response and negotiation processes. The ransomware's differing behavior on Windows 10 and 11 means organizations running mixed environments may face inconsistent infection symptoms, complicating detection and remediation. Given the ransomware operates offline, it may not require command-and-control infrastructure, making it harder to disrupt once deployed. The medium severity rating indicates that while the ransomware is dangerous, it may have limitations such as the builder flaw affecting ransom note readability, possibly reducing its effectiveness. However, the reuse of DragonForce code and the association with known ransomware families like Conti and Blacklock (as indicated by tags) suggest a potential for evolution into more damaging variants. European organizations with extensive Windows infrastructure, especially those relying on SMB for file sharing, are at risk of data loss, operational disruption, and financial impact due to ransom demands or recovery costs.
Mitigation Recommendations
1. Network Segmentation: Strictly segment networks to limit SMB exposure and lateral movement opportunities. 2. SMB Hardening: Disable SMBv1 and restrict SMB access to only trusted hosts. Implement SMB signing and enforce strong authentication. 3. Patch Management: Although no specific patches exist for this ransomware, ensure all Windows systems are fully patched to reduce attack surface and prevent exploitation of other vulnerabilities. 4. Endpoint Detection and Response (EDR): Deploy advanced EDR solutions capable of detecting ransomware behaviors such as unusual file encryption patterns, changes to desktop wallpaper, and suspicious SMB scanning activities. 5. Backup Strategy: Maintain offline, immutable backups with frequent testing to ensure rapid recovery without paying ransom. 6. User Awareness: Train users to recognize and avoid executing suspicious files, as user execution is a known infection vector. 7. Incident Response Preparation: Develop and rehearse ransomware-specific response plans, including forensic analysis to identify encrypted ransom notes and alternative communication channels with attackers if necessary. 8. Monitor Scheduled Tasks and Persistence Mechanisms: Regularly audit scheduled tasks and startup entries to detect unauthorized changes consistent with T1053.005. 9. Network Monitoring: Implement network traffic analysis to detect SMB scanning and unusual lateral movement attempts. 10. Restrict Administrative Privileges: Enforce least privilege principles to limit ransomware’s ability to propagate and encrypt critical systems.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland
Indicators of Compromise
- hash: e84270afa3030b48dc9e0c53a35c65aa
- hash: 4a34bbad85312ef34b60818a47f7b5bb8e9a7e26
- hash: 018494565257ef2b6a4e68f1c3e7573b87fc53bd5828c9c5127f31d37ea964f8
- hash: df5ab9015833023a03f92a797e20196672c1d6525501a9f9a94a45b0904c7403
DEVMAN Ransomware: Analysis of New DragonForce Variant
Description
A new ransomware strain resembling DragonForce but with unique traits has emerged, possibly connected to an entity called DEVMAN. The sample reuses DragonForce code but adds its own elements, including the .DEVMAN file extension. Attribution is unclear, as the ransom note is identical to DragonForce's. The malware operates offline, probes for SMB connections, and uses three encryption modes. It exhibits different behaviors on Windows 10 and 11, particularly in changing wallpapers. The ransomware encrypts its own ransom notes, likely due to a builder flaw. DEVMAN claims to have stopped using DragonForce months ago, suggesting this may be an experimental or outdated build.
AI-Powered Analysis
Technical Analysis
The DEVMAN ransomware is a newly identified strain that appears to be a variant of the DragonForce ransomware family, with unique modifications attributed to an entity known as DEVMAN. This malware reuses significant portions of DragonForce's codebase but introduces distinct features, including the use of a .DEVMAN file extension for encrypted files. The ransomware operates primarily in an offline mode and actively probes for SMB (Server Message Block) connections to potentially propagate or identify network shares. It employs three different encryption modes, enhancing its ability to encrypt victim data effectively. Notably, the ransomware exhibits different behaviors depending on the Windows version it infects, specifically Windows 10 versus Windows 11, with differences observed in how it changes the desktop wallpaper as part of its attack footprint. An unusual characteristic of this variant is that it encrypts its own ransom notes, likely due to a flaw in the ransomware builder, which may hinder victims' ability to read the ransom demands. Attribution remains unclear because the ransom note is identical to that used by DragonForce, and DEVMAN claims to have ceased using DragonForce ransomware months prior, suggesting this sample might be experimental or outdated. The malware is tagged with multiple MITRE ATT&CK techniques such as T1053.005 (Scheduled Task/Job), T1204.002 (User Execution: Malicious File), T1135 (Network Share Discovery), T1005 (Data from Local System), T1021.002 (SMB/Windows Admin Shares), T1070 (Indicator Removal on Host), T1027 (Obfuscated Files or Information), T1486 (Data Encrypted for Impact), and T1490 (Inhibit System Recovery), indicating a comprehensive attack lifecycle involving persistence, lateral movement, data encryption, and anti-forensic measures. There are no known exploits in the wild for this variant yet, and no CVE identifiers have been assigned. The severity is rated medium, reflecting the current understanding of its capabilities and impact.
Potential Impact
For European organizations, the DEVMAN ransomware poses a significant threat to data confidentiality and availability. Its ability to encrypt files with multiple encryption modes and target SMB shares suggests potential for rapid lateral movement within corporate networks, especially in environments with poorly segmented networks or exposed SMB services. The encryption of ransom notes could complicate incident response and negotiation processes. The ransomware's differing behavior on Windows 10 and 11 means organizations running mixed environments may face inconsistent infection symptoms, complicating detection and remediation. Given the ransomware operates offline, it may not require command-and-control infrastructure, making it harder to disrupt once deployed. The medium severity rating indicates that while the ransomware is dangerous, it may have limitations such as the builder flaw affecting ransom note readability, possibly reducing its effectiveness. However, the reuse of DragonForce code and the association with known ransomware families like Conti and Blacklock (as indicated by tags) suggest a potential for evolution into more damaging variants. European organizations with extensive Windows infrastructure, especially those relying on SMB for file sharing, are at risk of data loss, operational disruption, and financial impact due to ransom demands or recovery costs.
Mitigation Recommendations
1. Network Segmentation: Strictly segment networks to limit SMB exposure and lateral movement opportunities. 2. SMB Hardening: Disable SMBv1 and restrict SMB access to only trusted hosts. Implement SMB signing and enforce strong authentication. 3. Patch Management: Although no specific patches exist for this ransomware, ensure all Windows systems are fully patched to reduce attack surface and prevent exploitation of other vulnerabilities. 4. Endpoint Detection and Response (EDR): Deploy advanced EDR solutions capable of detecting ransomware behaviors such as unusual file encryption patterns, changes to desktop wallpaper, and suspicious SMB scanning activities. 5. Backup Strategy: Maintain offline, immutable backups with frequent testing to ensure rapid recovery without paying ransom. 6. User Awareness: Train users to recognize and avoid executing suspicious files, as user execution is a known infection vector. 7. Incident Response Preparation: Develop and rehearse ransomware-specific response plans, including forensic analysis to identify encrypted ransom notes and alternative communication channels with attackers if necessary. 8. Monitor Scheduled Tasks and Persistence Mechanisms: Regularly audit scheduled tasks and startup entries to detect unauthorized changes consistent with T1053.005. 9. Network Monitoring: Implement network traffic analysis to detect SMB scanning and unusual lateral movement attempts. 10. Restrict Administrative Privileges: Enforce least privilege principles to limit ransomware’s ability to propagate and encrypt critical systems.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://any.run/cybersecurity-blog/devman-ransomware-analysis"]
- Adversary
- DEVMAN
- Pulse Id
- 6864dc456365182d0e43bd32
- Threat Score
- null
Indicators of Compromise
Hash
Value | Description | Copy |
---|---|---|
hashe84270afa3030b48dc9e0c53a35c65aa | — | |
hash4a34bbad85312ef34b60818a47f7b5bb8e9a7e26 | — | |
hash018494565257ef2b6a4e68f1c3e7573b87fc53bd5828c9c5127f31d37ea964f8 | — | |
hashdf5ab9015833023a03f92a797e20196672c1d6525501a9f9a94a45b0904c7403 | — |
Threat ID: 6864deb26f40f0eb7291e877
Added to database: 7/2/2025, 7:24:34 AM
Last enriched: 7/2/2025, 7:40:14 AM
Last updated: 7/18/2025, 1:37:38 AM
Views: 33
Related Threats
ThreatFox IOCs for 2025-07-17
MediumPowerful MaaS On the Prowl for Credentials and Crypto Assets
MediumPhish and Chips: China-Aligned Espionage Actors Ramp Up Taiwan Semiconductor Industry Targeting
MediumEvolution of macOS Odyssey Stealer: New Techniques & Signed Malware
MediumMaaS operation using Emmenhtal and Amadey linked to threats against Ukrainian entities
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.