Devman

Devman is a ransomware operation first identified in early 2025 and described in reporting as a non-public, closed operation rather than a public RaaS platform. Multiple sources link Devman to the DragonForce ecosystem and code lineage; analyzed samples were assessed as largely reusing DragonForce code derived from Conti, with DEVMAN-specific customization layered on top. Reporting also states some Devman payloads were built on DragonForce infrastructure, and one analysis described the malware as a lightly modified DragonForce spinoff enabled by DragonForce’s affiliate/custom-builder model.

Devman is associated with double-extortion activity and targeted intrusions against high-value organizations. Reporting cited in the content says it continued targeted penetration of industrial organizations and intensified targeting of critical infrastructure and healthcare sectors. Victim geography in public reporting is concentrated in Asia and Africa, with occasional activity in Latin America and Europe. One report described an attack in Thailand in which all systems and NAS devices were encrypted. Devman was also noted as having one confirmed incident in Japan in early 2025.

Technical reporting associates Devman with the encrypted file extensions ".DEVMAN" and, in at least one campaign, ".devman1". A deterministic ransom-note filename, "e47qfsnz2trbkhnt.devman", was observed; analysis found this resulted when the malware encrypted its own ransom note due to an apparent builder flaw. The recovered ransom note content was described as copied verbatim from a DragonForce note. The malware supports multiple encryption modes including full, header-only, and custom encryption. Observed behavior included SMB share probing and network share discovery, explicit reference to the ADMIN$ share, checks for Volume Shadow Copies, use of the Windows Restart Manager to access locked files, creation of Restart Manager-related registry entries under HKCU\Software\Microsoft\RestartManager\Session0000, targeting of user-profile files such as NTUSER.DAT, and creation of a hardcoded mutex "hsfjuukjzloqu28oajh727190" plus additional Local\RstrMgr-[GUID]-Session0000 mutexes. No external C2 communications were observed during one analysis aside from SMB probing, suggesting offline operation.

The content states Devman transitioned from version 1.0 written in C++ to version 2.0 written in Rust. Separate reporting also mentions strings referencing "Devman 3.0" embedded in another ransomware payload, and similarities between Devman and Vect ransom notes, but the exact relationship is not confirmed in the provided content.

Threat-actor reporting identifies an operator known as "Tramp," described as a former Conti and Black Basta affiliate; the content states Tramp was added to Interpol’s wanted list in January 2026. Devman’s publicly claimed victim count declined from 82 in Q4 2025 to 25 in Q1 2026, and another source states the group had claimed nearly 40 victims, while a separate report mentions 13 claimed victims in an emerging-stage period. Known IOCs directly mentioned in the content include the ".DEVMAN" and ".devman1" extensions, ransom-note filename "e47qfsnz2trbkhnt.devman", MD5 e84270afa3030b48dc9e0c53a35c65aa, SHA256 df5ab9015833023a03f92a797e20196672c1d6525501a9f9a94a45b0904c7, and SHA256 018494565257ef2b6a4e68f1c3e7573b87fc53bd5828c9c5127f31d37ea964f8.