A brand new ransomware variant, dubbed DEVMAN, has surfaced within the cyberthreat panorama, showcasing a fancy lineage tied to the infamous DragonForce household.
Constructed on a basis of DragonForce and Conti codebases, DEVMAN introduces distinctive identifiers such because the .DEVMAN file extension and distinct behavioral traits, setting it aside whereas retaining core similarities with its predecessors.
This hybrid pressure, not too long ago analyzed in ANY.RUN’s safe sandbox, targets Home windows 10 and 11 techniques, encrypting information quickly and making an attempt lateral motion by way of SMB shares.
A Hybrid Menace Emerges from DragonForce Codebase
Nevertheless, its deployment seems experimental, with essential flaws like self-encrypting ransom notes undermining its effectiveness.
Regardless of being flagged by most antivirus engines as DragonForce or Conti, deeper evaluation reveals DEVMAN’s separate infrastructure, together with a Devoted Leak Web site (DLS) named “Devman’s Place,” claiming practically 40 victims primarily in Asia and Africa.
DEVMAN’s conduct displays intriguing inconsistencies throughout working techniques and execution environments.
On Home windows 10, the ransomware efficiently alters desktop wallpapers to show ransom calls for, but it fails to take action on Home windows 11 for causes but to be decided.
Its encryption course of is notably aggressive, providing three modes full, header-only, and customized permitting attackers to prioritize pace or depth of affect.
Operational Challenges
A putting flaw in its builder logic ends in the encryption of its personal ransom notes, rendering them unreadable and successfully severing the communication channel for cost directions.
This essential oversight, coupled with deterministic file renaming (e.g., ransom notes persistently renamed to “e47qfsnz2trbkhnt.devman”), suggests DEVMAN should still be in a testing section fairly than a refined manufacturing risk.
Moreover, the ransomware operates primarily offline, with no exterior command-and-control (C2) communication noticed, relying as a substitute on native SMB probing to unfold inside networks.
Its use of Home windows Restart Supervisor to bypass file locks and hardcoded mutexes like “hsfjuukjzloqu28oajh727190” for execution coordination additional ties it to Conti-derived techniques, methods, and procedures (TTPs).
The pattern additionally demonstrates rudimentary persistence and evasion mechanisms, equivalent to deleting registry keys post-modification and checking for Shadow Copies to inhibit system restoration.
Whereas not groundbreaking in sophistication, these quirks present precious insights into the evolving ransomware-as-a-service (RaaS) ecosystem, the place associates customise present frameworks like DragonForce to create spinoff variants.
DEVMAN’s emergence underscores the fragmented nature of recent ransomware growth, the place code reuse and misconfigurations typically blur attribution traces.
In keeping with the Report, Safety groups leveraging instruments like ANY.RUN’s Interactive Sandbox can achieve real-time visibility into such threats, mapping behaviors, extracting indicators of compromise (IOCs), and enhancing response workflows regardless of the malware’s erratic execution.
Indicators of Compromise (IOCs)
| Sort | Worth |
|---|---|
| MD5 | e84270afa3030b48dc9e0c53a35c65aa |
| SHA256 (Pattern 1) | df5ab9015833023a03f92a797e20196672c1d6525501a9f9a94a45b0904c7403 |
| SHA256 (Pattern 2) | 018494565257ef2b6a4e68f1c3e7573b87fc53bd5828c9c5127f31d37ea964f8 |
| File Identify (Mutex) | hsfjuukjzloqu28oajh727190 |
| File Identify (Observe) | e47qfsnz2trbkhnt.devman |
Discover this Information Attention-grabbing! Observe us on Google Information, LinkedIn, and X to Get On the spot Updates
