Skip to main content

DEVMAN Ransomware: Analysis of New DragonForce Variant

Medium
Published: Wed Jul 02 2025 (07/02/2025, 07:14:13 UTC)
Source: AlienVault OTX General

Description

A new ransomware strain resembling DragonForce but with unique traits has emerged, possibly connected to an entity called DEVMAN. The sample reuses DragonForce code but adds its own elements, including the .DEVMAN file extension. Attribution is unclear, as the ransom note is identical to DragonForce's. The malware operates offline, probes for SMB connections, and uses three encryption modes. It exhibits different behaviors on Windows 10 and 11, particularly in changing wallpapers. The ransomware encrypts its own ransom notes, likely due to a builder flaw. DEVMAN claims to have stopped using DragonForce months ago, suggesting this may be an experimental or outdated build.

AI-Powered Analysis

AILast updated: 07/02/2025, 07:40:14 UTC

Technical Analysis

The DEVMAN ransomware is a newly identified strain that appears to be a variant of the DragonForce ransomware family, with unique modifications attributed to an entity known as DEVMAN. This malware reuses significant portions of DragonForce's codebase but introduces distinct features, including the use of a .DEVMAN file extension for encrypted files. The ransomware operates primarily in an offline mode and actively probes for SMB (Server Message Block) connections to potentially propagate or identify network shares. It employs three different encryption modes, enhancing its ability to encrypt victim data effectively. Notably, the ransomware exhibits different behaviors depending on the Windows version it infects, specifically Windows 10 versus Windows 11, with differences observed in how it changes the desktop wallpaper as part of its attack footprint. An unusual characteristic of this variant is that it encrypts its own ransom notes, likely due to a flaw in the ransomware builder, which may hinder victims' ability to read the ransom demands. Attribution remains unclear because the ransom note is identical to that used by DragonForce, and DEVMAN claims to have ceased using DragonForce ransomware months prior, suggesting this sample might be experimental or outdated. The malware is tagged with multiple MITRE ATT&CK techniques such as T1053.005 (Scheduled Task/Job), T1204.002 (User Execution: Malicious File), T1135 (Network Share Discovery), T1005 (Data from Local System), T1021.002 (SMB/Windows Admin Shares), T1070 (Indicator Removal on Host), T1027 (Obfuscated Files or Information), T1486 (Data Encrypted for Impact), and T1490 (Inhibit System Recovery), indicating a comprehensive attack lifecycle involving persistence, lateral movement, data encryption, and anti-forensic measures. There are no known exploits in the wild for this variant yet, and no CVE identifiers have been assigned. The severity is rated medium, reflecting the current understanding of its capabilities and impact.

Potential Impact

For European organizations, the DEVMAN ransomware poses a significant threat to data confidentiality and availability. Its ability to encrypt files with multiple encryption modes and target SMB shares suggests potential for rapid lateral movement within corporate networks, especially in environments with poorly segmented networks or exposed SMB services. The encryption of ransom notes could complicate incident response and negotiation processes. The ransomware's differing behavior on Windows 10 and 11 means organizations running mixed environments may face inconsistent infection symptoms, complicating detection and remediation. Given the ransomware operates offline, it may not require command-and-control infrastructure, making it harder to disrupt once deployed. The medium severity rating indicates that while the ransomware is dangerous, it may have limitations such as the builder flaw affecting ransom note readability, possibly reducing its effectiveness. However, the reuse of DragonForce code and the association with known ransomware families like Conti and Blacklock (as indicated by tags) suggest a potential for evolution into more damaging variants. European organizations with extensive Windows infrastructure, especially those relying on SMB for file sharing, are at risk of data loss, operational disruption, and financial impact due to ransom demands or recovery costs.

Mitigation Recommendations

1. Network Segmentation: Strictly segment networks to limit SMB exposure and lateral movement opportunities. 2. SMB Hardening: Disable SMBv1 and restrict SMB access to only trusted hosts. Implement SMB signing and enforce strong authentication. 3. Patch Management: Although no specific patches exist for this ransomware, ensure all Windows systems are fully patched to reduce attack surface and prevent exploitation of other vulnerabilities. 4. Endpoint Detection and Response (EDR): Deploy advanced EDR solutions capable of detecting ransomware behaviors such as unusual file encryption patterns, changes to desktop wallpaper, and suspicious SMB scanning activities. 5. Backup Strategy: Maintain offline, immutable backups with frequent testing to ensure rapid recovery without paying ransom. 6. User Awareness: Train users to recognize and avoid executing suspicious files, as user execution is a known infection vector. 7. Incident Response Preparation: Develop and rehearse ransomware-specific response plans, including forensic analysis to identify encrypted ransom notes and alternative communication channels with attackers if necessary. 8. Monitor Scheduled Tasks and Persistence Mechanisms: Regularly audit scheduled tasks and startup entries to detect unauthorized changes consistent with T1053.005. 9. Network Monitoring: Implement network traffic analysis to detect SMB scanning and unusual lateral movement attempts. 10. Restrict Administrative Privileges: Enforce least privilege principles to limit ransomware’s ability to propagate and encrypt critical systems.

Need more detailed analysis?Get Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://any.run/cybersecurity-blog/devman-ransomware-analysis"]
Adversary
DEVMAN
Pulse Id
6864dc456365182d0e43bd32
Threat Score
null

Indicators of Compromise

Hash

ValueDescriptionCopy
hashe84270afa3030b48dc9e0c53a35c65aa
hash4a34bbad85312ef34b60818a47f7b5bb8e9a7e26
hash018494565257ef2b6a4e68f1c3e7573b87fc53bd5828c9c5127f31d37ea964f8
hashdf5ab9015833023a03f92a797e20196672c1d6525501a9f9a94a45b0904c7403

Threat ID: 6864deb26f40f0eb7291e877

Added to database: 7/2/2025, 7:24:34 AM

Last enriched: 7/2/2025, 7:40:14 AM

Last updated: 7/18/2025, 1:37:38 AM

Views: 33

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats