A brand new ransomware variant, dubbed DEVMAN, has surfaced within the cyberthreat panorama, showcasing a fancy lineage tied to the infamous DragonForce household.
Constructed on a basis of DragonForce and Conti codebases, DEVMAN introduces distinctive identifiers such because the .DEVMAN file extension and distinct behavioral traits, setting it aside whereas retaining core similarities with its predecessors.
This hybrid pressure, lately analyzed in ANY.RUN’s safe sandbox, targets Home windows 10 and 11 programs, encrypting information quickly and making an attempt lateral motion by way of SMB shares.
A Hybrid Risk Emerges from DragonForce Codebase
Nevertheless, its deployment seems experimental, with vital flaws like self-encrypting ransom notes undermining its effectiveness.
Regardless of being flagged by most antivirus engines as DragonForce or Conti, deeper evaluation reveals DEVMAN’s separate infrastructure, together with a Devoted Leak Website (DLS) named “Devman’s Place,” claiming almost 40 victims primarily in Asia and Africa.
DEVMAN’s conduct reveals intriguing inconsistencies throughout working programs and execution environments.
On Home windows 10, the ransomware efficiently alters desktop wallpapers to show ransom calls for, but it fails to take action on Home windows 11 for causes but to be decided.
Its encryption course of is notably aggressive, providing three modes full, header-only, and customized permitting attackers to prioritize pace or depth of influence.
Operational Challenges
A putting flaw in its builder logic ends in the encryption of its personal ransom notes, rendering them unreadable and successfully severing the communication channel for cost directions.
This vital oversight, coupled with deterministic file renaming (e.g., ransom notes persistently renamed to “e47qfsnz2trbkhnt.devman”), suggests DEVMAN should be in a testing section slightly than a elegant manufacturing risk.
Moreover, the ransomware operates primarily offline, with no exterior command-and-control (C2) communication noticed, relying as an alternative on native SMB probing to unfold inside networks.
Its use of Home windows Restart Supervisor to bypass file locks and hardcoded mutexes like “hsfjuukjzloqu28oajh727190” for execution coordination additional ties it to Conti-derived techniques, methods, and procedures (TTPs).
The pattern additionally demonstrates rudimentary persistence and evasion mechanisms, corresponding to deleting registry keys post-modification and checking for Shadow Copies to inhibit system restoration.
Whereas not groundbreaking in sophistication, these quirks present beneficial insights into the evolving ransomware-as-a-service (RaaS) ecosystem, the place associates customise present frameworks like DragonForce to create spinoff variants.
DEVMAN’s emergence underscores the fragmented nature of contemporary ransomware improvement, the place code reuse and misconfigurations typically blur attribution traces.
In accordance with the Report, Safety groups leveraging instruments like ANY.RUN’s Interactive Sandbox can acquire real-time visibility into such threats, mapping behaviors, extracting indicators of compromise (IOCs), and enhancing response workflows regardless of the malware’s erratic execution.
Indicators of Compromise (IOCs)
| Kind | Worth |
|---|---|
| MD5 | e84270afa3030b48dc9e0c53a35c65aa |
| SHA256 (Pattern 1) | df5ab9015833023a03f92a797e20196672c1d6525501a9f9a94a45b0904c7403 |
| SHA256 (Pattern 2) | 018494565257ef2b6a4e68f1c3e7573b87fc53bd5828c9c5127f31d37ea964f8 |
| File Title (Mutex) | hsfjuukjzloqu28oajh727190 |
| File Title (Notice) | e47qfsnz2trbkhnt.devman |
Discover this Information Attention-grabbing! Observe us on Google Information, LinkedIn, and X to Get Immediate Updates
