DEVMAN Ransomware Targets Windows Systems with Flawed DragonForce and Conti Hybrid

Credited by Freepik

VTA-004521 – DEVMAN Ransomware Targets Windows Systems with Flawed DragonForce and Conti Hybrid

A new ransomware variant named DEVMAN has emerged, built on the DragonForce and Conti codebases but exhibiting unique features like the .DEVMAN file extension and a dedicated leak site. Targeting Windows 10 and 11.

DEVMAN encrypts files aggressively and attempts lateral movement via SMB, though operational flaws like self-encrypting ransom notes suggest it is still in testing. It behaves inconsistently across systems, notably failing to change wallpapers in Windows 11. While lacking command-and-control (C2) communication, DEVMAN uses offline SMB probing and basic evasion tactics.

Analysts believe this ransomware reflects the fragmented, evolving nature of the ransomware-as-a-service (RaaS) ecosystem, highlighting how threat actors repurpose existing frameworks.

Severity:
Medium

Attack Surface:
Endpoint OS

Tactics:
Command and Control, Execution

Techniques:
T1027 – Obfuscated Files or Information
T1036 – Masquerading
T1490 – Inhibit System Recovery

Indicator of Compromise :
1. https://otx.alienvault.com/pulse/68644810633dbf6432bff68f

References:
1. https://cyberpress.org/new-devman-ransomware-by-dragonforce/

SuperPRO’s Threat Countermeasures Procedures:
1. Implement strict access controls on SMB file shares by enforcing least privilege permissions and disabling SMBv1 to mitigate legacy protocol risks. Employ network segmentation to contain potential threats and reduce the risk of lateral movement between systems.
2. Enforce application control policies to prevent the execution of unauthorized or untrusted software, particularly executables located in high-risk directories.
3. Establish automated and frequent backup procedures, ensuring copies are stored offline or on immutable storage to prevent tampering.
4. Apply critical security patches and updates to operating systems and third-party applications promptly.
5. Leverage EDR platforms that utilize behavioral analytics to detect and respond to suspicious activities, such as file encryption attempts, unauthorized registry modifications, or mutex creation.

Contributed by: Haziq