Devman Ransomware Group

Devman is a ransomware operator that launched a new ransomware-as-a-service (RaaS) platform in late September 2025. The provided content states that Devman previously worked as an affiliate for Qilin (Agenda), DragonForce, and Conti, and then formalized his own brand and began recruiting affiliates. The operation initially used modified DragonForce code, with reported code overlap confirmed by ANY.RUN on 2025-07-01; the content also notes inherited lineage from Conti via DragonForce. Early variants reportedly had significant bugs, including encrypting their own ransom notes and wallpaper failures on Windows 11. Devman claims to have developed a new Rust-based variant, but that claim is explicitly unverified. The RaaS platform is described as requiring a $10,000 deposit and proof of compromise, including 100 GB of exfiltrated data, from non-CIS affiliates. It uses a revenue-based ransom pricing model tied to victim company size. The platform reportedly provides Windows, Linux/NAS, and ESXi lockers, daily updates, and a note-suppression feature intended to delay ransom note display and maximize spread before detection. Devman also claims to offer a specialized SCADA/ICS locker, but that claim is unverified. According to the content, Devman’s rules explicitly allow attacks on critical infrastructure and hospitals, with exceptions related to children; they prohibit targeting CIS countries and Serbia, and prohibit leaking data of individuals under 18. The affiliate rules require professional conduct, restrict team formation, limit ransom discounts to 50%, require transfers to two wallets, prohibit USDT payouts, and allow the operator to take over negotiations if affiliates fail to meet obligations. The platform uses Tox for encrypted affiliate recruitment communications and is described as structured to make infiltration by law enforcement and researchers more difficult. The content states that Devman consolidated prior infrastructure into the new RaaS platform, with earlier leak sites taken offline, and that the operation continued listing victims and conducting negotiations as of October 2025. Devman is also described as maintaining a public persona on X and engaging directly with researchers. An allegation that GangExposed attempted to extort Devman is mentioned in the source material, but it is explicitly unverified. No nation-state attribution is provided in the content.