The DEVMAN ransomware is a newly identified strain that appears to be a variant of the DragonForce ransomware family, with unique modifications attributed to an entity known as DEVMAN. This malware reuses significant portions of DragonForce's codebase but introduces distinct features, including the use of a .DEVMAN file extension for encrypted files. The ransomware operates primarily in an offline mode and actively probes for SMB (Server Message Block) connections to potentially propagate or identify network shares. It employs three different encryption modes, enhancing its ability to encrypt victim data effectively. Notably, the ransomware exhibits different behaviors depending on the Windows version it infects, specifically Windows 10 versus Windows 11, with differences observed in how it changes the desktop wallpaper as part of its attack footprint. An unusual characteristic of this variant is that it encrypts its own ransom notes, likely due to a flaw in the ransomware builder, which may hinder victims' ability to read the ransom demands. Attribution remains unclear because the ransom note is identical to that used by DragonForce, and DEVMAN claims to have ceased using DragonForce ransomware months prior, suggesting this sample might be experimental or outdated. The malware is tagged with multiple MITRE ATT&CK techniques such as T1053.005 (Scheduled Task/Job), T1204.002 (User Execution: Malicious File), T1135 (Network Share Discovery), T1005 (Data from Local System), T1021.002 (SMB/Windows Admin Shares), T1070 (Indicator Removal on Host), T1027 (Obfuscated Files or Information), T1486 (Data Encrypted for Impact), and T1490 (Inhibit System Recovery), indicating a comprehensive attack lifecycle involving persistence, lateral movement, data encryption, and anti-forensic measures. There are no known exploits in the wild for this variant yet, and no CVE identifiers have been assigned. The severity is rated medium, reflecting the current understanding of its capabilities and impact.

For European organizations, the DEVMAN ransomware poses a significant threat to data confidentiality and availability. Its ability to encrypt files with multiple encryption modes and target SMB shares suggests potential for rapid lateral movement within corporate networks, especially in environments with poorly segmented networks or exposed SMB services. The encryption of ransom notes could complicate incident response and negotiation processes. The ransomware's differing behavior on Windows 10 and 11 means organizations running mixed environments may face inconsistent infection symptoms, complicating detection and remediation. Given the ransomware operates offline, it may not require command-and-control infrastructure, making it harder to disrupt once deployed. The medium severity rating indicates that while the ransomware is dangerous, it may have limitations such as the builder flaw affecting ransom note readability, possibly reducing its effectiveness. However, the reuse of DragonForce code and the association with known ransomware families like Conti and Blacklock (as indicated by tags) suggest a potential for evolution into more damaging variants. European organizations with extensive Windows infrastructure, especially those relying on SMB for file sharing, are at risk of data loss, operational disruption, and financial impact due to ransom demands or recovery costs.

1. Network Segmentation: Strictly segment networks to limit SMB exposure and lateral movement opportunities. 2. SMB Hardening: Disable SMBv1 and restrict SMB access to only trusted hosts. Implement SMB signing and enforce strong authentication. 3. Patch Management: Although no specific patches exist for this ransomware, ensure all Windows systems are fully patched to reduce attack surface and prevent exploitation of other vulnerabilities. 4. Endpoint Detection and Response (EDR): Deploy advanced EDR solutions capable of detecting ransomware behaviors such as unusual file encryption patterns, changes to desktop wallpaper, and suspicious SMB scanning activities. 5. Backup Strategy: Maintain offline, immutable backups with frequent testing to ensure rapid recovery without paying ransom. 6. User Awareness: Train users to recognize and avoid executing suspicious files, as user execution is a known infection vector. 7. Incident Response Preparation: Develop and rehearse ransomware-specific response plans, including forensic analysis to identify encrypted ransom notes and alternative communication channels with attackers if necessary. 8. Monitor Scheduled Tasks and Persistence Mechanisms: Regularly audit scheduled tasks and startup entries to detect unauthorized changes consistent with T1053.005. 9. Network Monitoring: Implement network traffic analysis to detect SMB scanning and unusual lateral movement attempts. 10. Restrict Administrative Privileges: Enforce least privilege principles to limit ransomware’s ability to propagate and encrypt critical systems.