A brand new ransomware variant, dubbed DEVMAN, has surfaced within the cyberthreat panorama, showcasing a fancy lineage tied to the infamous DragonForce household.
Constructed on a basis of DragonForce and Conti codebases, DEVMAN introduces distinctive identifiers such because the .DEVMAN file extension and distinct behavioral traits, setting it aside whereas retaining core similarities with its predecessors.
This hybrid pressure, lately analyzed in ANY.RUN’s safe sandbox, targets Home windows 10 and 11 techniques, encrypting information quickly and making an attempt lateral motion by way of SMB shares.
A Hybrid Menace Emerges from DragonForce Codebase
Nonetheless, its deployment seems experimental, with crucial flaws like self-encrypting ransom notes undermining its effectiveness.
Regardless of being flagged by most antivirus engines as DragonForce or Conti, deeper evaluation reveals DEVMAN’s separate infrastructure, together with a Devoted Leak Website (DLS) named “Devman’s Place,” claiming practically 40 victims primarily in Asia and Africa.
DEVMAN’s conduct displays intriguing inconsistencies throughout working techniques and execution environments.
On Home windows 10, the ransomware efficiently alters desktop wallpapers to show ransom calls for, but it fails to take action on Home windows 11 for causes but to be decided.
Its encryption course of is notably aggressive, providing three modes full, header-only, and customized permitting attackers to prioritize pace or depth of affect.
Operational Challenges
A placing flaw in its builder logic ends in the encryption of its personal ransom notes, rendering them unreadable and successfully severing the communication channel for cost directions.
This crucial oversight, coupled with deterministic file renaming (e.g., ransom notes constantly renamed to “e47qfsnz2trbkhnt.devman”), suggests DEVMAN should still be in a testing section fairly than a cultured manufacturing risk.
Moreover, the ransomware operates primarily offline, with no exterior command-and-control (C2) communication noticed, relying as a substitute on native SMB probing to unfold inside networks.
Its use of Home windows Restart Supervisor to bypass file locks and hardcoded mutexes like “hsfjuukjzloqu28oajh727190” for execution coordination additional ties it to Conti-derived techniques, methods, and procedures (TTPs).
The pattern additionally demonstrates rudimentary persistence and evasion mechanisms, resembling deleting registry keys post-modification and checking for Shadow Copies to inhibit system restoration.
Whereas not groundbreaking in sophistication, these quirks present worthwhile insights into the evolving ransomware-as-a-service (RaaS) ecosystem, the place associates customise present frameworks like DragonForce to create spinoff variants.
DEVMAN’s emergence underscores the fragmented nature of contemporary ransomware improvement, the place code reuse and misconfigurations usually blur attribution strains.
Based on the Report, Safety groups leveraging instruments like ANY.RUN’s Interactive Sandbox can acquire real-time visibility into such threats, mapping behaviors, extracting indicators of compromise (IOCs), and enhancing response workflows regardless of the malware’s erratic execution.
Indicators of Compromise (IOCs)
| Sort | Worth |
|---|---|
| MD5 | e84270afa3030b48dc9e0c53a35c65aa |
| SHA256 (Pattern 1) | df5ab9015833023a03f92a797e20196672c1d6525501a9f9a94a45b0904c7403 |
| SHA256 (Pattern 2) | 018494565257ef2b6a4e68f1c3e7573b87fc53bd5828c9c5127f31d37ea964f8 |
| File Identify (Mutex) | hsfjuukjzloqu28oajh727190 |
| File Identify (Observe) | e47qfsnz2trbkhnt.devman |
Discover this Information Fascinating! Observe us on Google Information, LinkedIn, and X to Get On the spot Updates
