Devman

Devman is a ransomware/extortion threat actor and RaaS operation that surfaced in late 2024 and became operationally visible at scale in 2025. Known aliases in the provided content include devman, devman_ransomware, and references to Devman 2.0 and Devman 3.0. Reporting in the content links Devman to the DragonForce ecosystem/code lineage and describes a “minimal branding, maximum reuse” operational approach. One malware analysis states the observed DEVMAN sample was largely based on DragonForce code derived from Conti, with DEVMAN-specific customization such as the .DEVMAN encrypted extension and a deterministic ransom-note filename e47qfsnz2trbkhnt.devman. The same analysis notes SMB share probing, ADMIN$ references, Volume Shadow Copy checks, Restart Manager usage to bypass file locks, a hardcoded mutex, and no observed external C2 beyond SMB probing. Public reporting cited in the content places Devman victim concentration in Asia and Africa, with additional activity in Latin America and Europe. The content describes Devman as an emerging 2025 ransomware group that claimed significant victim volume, including reporting of over 180 claimed victims in one source and nearly 40 victims in an earlier malware-analysis context. It is repeatedly described as active against high-value industrial organizations and as disproportionately targeting healthcare in some 2025 reporting. Mentioned victims/incidents include Thailand’s Ministry of Labour, Kenya’s National Social Security Fund, GSCCCA, New Horizons Medical, DXS International, Elematec, Níjar in Spain, and Shimao Group Holdings in China. Reported ransom demands in the content include $91 million against Shimao Group, $15 million against Thailand’s Ministry of Labour, $10 million against Elematec, $4.5 million against Kenya’s NSSF, $400,000 against GSCCCA, and $90,000 against New Horizons Medical. The content also notes claims of attacks on a Singaporean branch of a Chinese state-owned construction company and a Spanish fashion e-commerce platform. Tradecraft and ecosystem reporting in the content indicate Devman is associated with double-extortion-style operations and leak-site pressure. One source states Devman launched a “Devman 2.0” leak site, and another describes a dedicated leak site called “Devman’s Place.” The group has been associated with healthcare targeting, industrial targeting, and government-sector incidents. A China-focused report associates exploitation of CVE-2017-17215 with World Leaks, TheGentlemen, and Devman. Another report states Microsoft Threat Intelligence confirmed in July 2024 that Octo Tempest/Scattered Spider is a Qilin affiliate and that reporting also included groups such as Devman and Arkana in that affiliate roster. The content also documents disputed or unverified claims. Dragos reported that Devman published screenshots of OT control consoles and monitoring dashboards while falsely claiming to have developed “ICS-aware ransomware,” but Dragos found no evidence supporting those claims or indicating Devman could access or interact with ICS equipment. Separate reporting says ShinyHunters claimed collaboration with Devman in an alleged breach of Resecurity, but the authenticity and scope of that incident were contested or unverified in the provided material. Operationally, Devman’s activity appears to have declined in early 2026. One report states Devman fell from 82 victims in Q4 2025 to 25 in Q1 2026, and attributes this decline to its operator “Tramp,” described as a former Conti and Black Basta affiliate, being added to Interpol’s wanted list in January 2026. Another report notes Devman reportedly stepped away from operations in February 2026. Technical reporting on Vect ransomware highlights possible continuity or overlap with Devman, citing embedded “Devman 3.0” strings in Vect payloads, similarities in ransom notes, a hardcoded “DM” task-name prefix, and timing overlap between Devman’s February shutdown and early Vect samples. These points indicate a possible connection, but the content stops short of confirming they are the same operation.