DEVMAN Ransomware: Analysis of New DragonForce Variant

July 2, 2025, 7:46 a.m.

Description

A new ransomware strain resembling DragonForce but with unique traits has emerged, possibly connected to an entity called DEVMAN. The sample reuses DragonForce code but adds its own elements, including the .DEVMAN file extension. Attribution is unclear, as the ransom note is identical to DragonForce's. The malware operates offline, probes for SMB connections, and uses three encryption modes. It exhibits different behaviors on Windows 10 and 11, particularly in changing wallpapers. The ransomware encrypts its own ransom notes, likely due to a builder flaw. DEVMAN claims to have stopped using DragonForce months ago, suggesting this may be an experimental or outdated build.

External References

https://any.run/cybersecurity-blog/devman-ransomware-analysis
https://otx.alienvault.com/pulse/6864dc456365182d0e43bd32
Tags
ransomware
conti
raas
dragonforce
mamona
2025-07-02
blacklock
devman

Date

  • Created: July 2, 2025, 7:14 a.m.
  • Published: July 2, 2025, 7:14 a.m.
  • Modified: July 2, 2025, 7:46 a.m.

Indicators

  • df5ab9015833023a03f92a797e20196672c1d6525501a9f9a94a45b0904c7403
  • 018494565257ef2b6a4e68f1c3e7573b87fc53bd5828c9c5127f31d37ea964f8
Download all indicators here!

Attack Patterns

  • BlackLock
  • DEVMAN
  • Mamona
  • DragonForce
  • Conti - S0575
  • DEVMAN

Additional Informations

  • Central African Republic
  • South Africa