![](https://worldnewsradar.id/wp-content/uploads/2025/08/BANNER-RENT-300X47-COLUMN-1.png"){kind=small}
A new ransomware variant identified as DEVMAN is making waves in the cybersecurity landscape, primarily affecting Windows 10 and 11 devices. While its foundation traces back to the notorious DragonForce ransomware—built on the Conti framework—DEVMAN distinguishes itself through unique behaviors, missteps in development, and a growing footprint across Asia and Africa. This development highlights the continuously evolving nature of Ransomware-as-a-Service (RaaS) and how fragmented innovation among affiliates can lead to unexpected security challenges.
I. Technical Analysis of DEVMAN
1. Roots in DragonForce, Yet Unmistakably New
DEVMAN first came to light after being uploaded by a researcher known as TheRavenFile. Initial detections by antivirus engines categorized it under DragonForce or Conti, but a closer inspection revealed substantial modifications. While the ransomware retains key features from DragonForce, it introduces its own file extension—“.DEVMAN”—and custom strings that suggest the emergence of a separate identity and operational infrastructure.
2. A Flawed Ransom Note Mechanism
One of the most unusual traits in DEVMAN’s behavior is its flawed ransom note system. Due to an apparent bug in the ransomware builder, DEVMAN often encrypts its own ransom note files. These notes are renamed using a fixed format—e47qfsnz2trbkhnt.devman—making it difficult for victims to identify who to contact. Although this reduces the ransomware’s effectiveness in facilitating payment, it presents a valuable indicator of compromise (IOC) for defenders.
II. Behavioral Patterns Across Platforms
1. Inconsistent Performance on Windows 10 and 11
The ransomware behaves differently depending on the operating system. For instance, it is successful in modifying desktop wallpapers on Windows 10, a tactic often used to notify victims of encryption. However, this function fails on Windows 11 systems, indicating either compatibility issues or a partially developed feature set.
2. Offline Operation and Targeting Methodology
DEVMAN largely operates without command-and-control (C2) server interactions, functioning offline. However, it does scan for Server Message Block (SMB) shares to enable lateral movement within infected networks. This dual approach helps it spread while maintaining a low external footprint.
3. Flexible Encryption Modes
The ransomware includes three encryption strategies—full, header-only, and custom. This flexibility allows attackers to adjust the encryption intensity based on the target environment, balancing operational speed with data coverage to maximize disruption.
III. System Manipulation and Persistence
1. Leveraging Windows Restart Manager
DEVMAN incorporates techniques inherited from the Conti family to bypass file locks and access files actively in use. It utilizes the Windows Restart Manager to work around locked files and ensure successful encryption of live data.
2. Registry and Mutex Techniques for Stealth
To avoid detection during forensic analysis, DEVMAN briefly creates and deletes registry entries under the path HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000. Additionally, it uses mutexes like hsfjuukjzloqu28oajh727190 to prevent multiple instances of the ransomware from executing simultaneously, preserving system stability during attacks.
IV. Impact and Expansion
1. New Infrastructure and Leak Site
Although DEVMAN shares much of its code and design with DragonForce—including ransom note templates—it has launched its own Dedicated Leak Site (DLS). This move is indicative of a split from the DragonForce development path, further fragmenting the ransomware ecosystem. So far, DEVMAN claims nearly 40 victims, with most located in Asia and Africa.
2. Regional Focus and Victim Targeting
The regions most affected by DEVMAN appear to be developing markets with less mature cybersecurity infrastructure. This strategic targeting increases the chances of success for attackers and reflects a broader trend among emerging ransomware variants seeking less resistance.
3. Indicators of a New Affiliate Actor
The emergence of DEVMAN demonstrates how affiliate groups often modify and repurpose existing malware to suit their own objectives. Despite using familiar tooling, DEVMAN exhibits enough originality to suggest that a new threat actor is operating independently within the broader RaaS ecosystem.
V. Implications for Cybersecurity Defense
1. Threat Intelligence Opportunities
DEVMAN’s technical flaws, especially the encryption of its own ransom notes, may offer a tactical edge for cybersecurity professionals. These quirks serve as useful detection markers and can aid in early threat identification and response.
2. Lessons in RaaS Fragmentation
The ransomware also serves as a case study in the risks of rapid code reuse within RaaS models. As affiliates rush to differentiate themselves, they may introduce bugs or oversights that limit ransomware performance, offering defenders rare windows of opportunity.
3. The Need for Proactive Security Measures
Organizations, particularly those in vulnerable regions, should update their threat models to include DEVMAN and similar emerging threats. Offline ransomware tactics and SMB lateral movement should be monitored closely, while incident response plans must account for novel ransomware strains that may behave differently from well-documented families.
Conclusion
DEVMAN stands as a potent example of how quickly ransomware threats can evolve, even from well-known predecessors. By combining legacy components with new branding and flawed yet novel features, it both challenges and empowers defenders. While its impact is currently concentrated in Asia and Africa, its technical lineage and affiliate-driven development model suggest it could expand further. Understanding its mechanics, exploiting its weaknesses, and sharing intelligence swiftly will be essential steps in mitigating the risks posed by DEVMAN and similar future variants.
