{"id":14522,"date":"2025-07-01T09:47:55","date_gmt":"2025-07-01T09:47:55","guid":{"rendered":"\/cybersecurity-blog\/?p=14522"},"modified":"2025-07-08T10:31:10","modified_gmt":"2025-07-08T10:31:10","slug":"devman-ransomware-analysis","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/devman-ransomware-analysis\/","title":{"rendered":"DEVMAN Ransomware: Analysis of New DragonForce Variant\u00a0"},"content":{"rendered":"\n<p><strong><em>Editor\u2019s note:<\/em><\/strong><em> The current article is authored by Mauro Eldritch, offensive security expert and threat intelligence analyst. You can <\/em><a href=\"https:\/\/x.com\/MauroEldritch\" target=\"_blank\" rel=\"noreferrer noopener\"><strong><em>find Mauro on X<\/em><\/strong><\/a><em>.<\/em>&nbsp;<\/p>\n\n\n\n<p>New ransomware strains continue to surface frequently, and many of them are loosely built on or repackaged from existing families. One such case involves a sample resembling DragonForce ransomware, yet bearing several unique traits and identifiers suggesting the involvement of a separate entity known as DEVMAN.&nbsp;<\/p>\n\n\n\n<p>A previously analyzed campaign connected to the <a href=\"https:\/\/any.run\/cybersecurity-blog\/mamona-ransomware-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener\">Mamona strain<\/a>, itself linked to BlackLock affiliates and the Embargo group, also intersected with DragonForce activity. DragonForce published BlackLock&#8217;s .env file, not just any target. This is the first case where we saw two gangs actively and publicly attacking each other.<\/p>\n\n\n\n<p>This newer sample, uploaded by TheRavenFile, appears related but not entirely identical to the DragonForce lineage. Despite being labeled as a DragonForce or Conti variant by most AV engines, the sample displays unique behaviors that point toward DEVMAN involvement.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"647\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/1-1024x647.png\" alt=\"\" class=\"wp-image-14524\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/1-1024x647.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/1-300x190.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/1-768x485.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/1-1536x971.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/1-2048x1295.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/1-370x234.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/1-270x171.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/1-740x468.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Our DragonForce\/Conti sample on VT, but don\u2019t be fooled by appearances<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">DEVMAN: Key Takeaways&nbsp;<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>DEVMAN reuses DragonForce code but adds its own twists: <\/strong>The .DEVMAN extension and unique strings sit on top of a mostly DragonForce codebase.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Attribution is muddy: <\/strong>The sample does not contain\u00a0any leak-site links to DEVMAN, while the ransom note is strictly a copy of the DragonForce one.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>DragonForce\u2019s RaaS model allows affiliates to create spinoff variants:<\/strong>&nbsp;<br>That\u2019s likely how samples like DEVMAN emerged; built on DragonForce code, but customized and repackaged.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Ransom notes encrypt themselves: <\/strong>This happens likely due to a builder flaw&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Most malicious activity takes place offline, aside from SMB probing: <\/strong>No external C2 communication was observed during analysis.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Three encryption modes are built in: <\/strong>full, header-only, and custom.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Behavior varies by OS:<\/strong> Wallpaper change fails on Windows 11 but works on Windows 10.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Dragons as a Service&nbsp;<\/h2>\n\n\n\n<p>Some time ago, DragonForce introduced their RaaS (Ransomware-as-a-Service) model, aiming to recruit both a\ufb03liates to operate their ransomware and others who wanted to use their infrastructure, branding, and reputation as a platform to publish stolen data.&nbsp;&nbsp;<\/p>\n\n\n\n<p>This shift brought new actors into the landscape, increasing overall activity, noise, and irregularities, including the sample analyzed here. Depending on the analyst or tool, it may be labeled as DragonForce, Conti (the base framework for DragonForce), or DEVMAN.&nbsp;<\/p>\n\n\n\n<p>DEVMAN? A relatively new actor has recently emerged under this name, featuring its own Dedicated Leak Site (DLS) called Devman\u2019s Place, a separate infrastructure, and nearly 40 claimed victims, primarily in Asia and Africa, with occasional incidents in Latin America and Europe.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">A Hybrid Ransomware Sample&nbsp;<\/h3>\n\n\n\n<p>Let\u2019s analyze the sample inside <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=devman_analysis&amp;utm_term=010725&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN\u2019s secure interactive sandbox<\/a>:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/64918027-01e6-415a-85b3-474fca5fc5c4\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=devman_analysis&amp;utm_term=010725&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View analysis session<\/a>&nbsp;&nbsp;<\/p>\n\n\n\n<p>This sample, flagged by most antivirus engines as a DragonForce (or Conti), is actually, modified to behave like a new variant belonging to DEVMAN. It uses that name as the file extension for encrypted data but otherwise shares a large part of its codebase with DragonForce, including leftover strings and identifiers. That strongly suggests DEVMAN may be using a DragonForce build for some of its operations.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"578\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/2-1024x578.png\" alt=\"\" class=\"wp-image-14525\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/2-1024x578.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/2-300x169.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/2-768x434.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/2-1536x867.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/2-2048x1156.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/2-370x209.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/2-270x152.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/2-740x418.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Encrypted file with the .DEVMAN extension<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>This appears to be a lightly customized version; one that hasn\u2019t attracted much attention, either from the threat intelligence community or from its own operator. The result is a tangled ransomware crossbreed with overlapping traits.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"514\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/3-1024x514.png\" alt=\"\" class=\"wp-image-14526\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/3-1024x514.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/3-300x150.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/3-768x385.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/3-370x186.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/3-270x135.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/3-740x371.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/3.png 1324w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Automatic detection labels the sample as &#8220;DragonForce&#8221;<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>A closer look reveals more.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nDetect malware as it executes in a live environment<br> Analyze suspicious files and URLs in <span class=\"highlight\">ANY.RUN&#8217;s Sandbox<\/span>&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=devman_analysis&#038;utm_term=010725&#038;utm_content=linktoregistration#register\/\" target=\"_blank\" rel=\"noopener\">\nSign up with business email\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\">Initial Behavior and Detection&nbsp;<\/h3>\n\n\n\n<p>First things first \u2014 our newborn dragon does what dragons do: it burns down the village. Files are encrypted rapidly and automatically, also attempting to locate SMB shared folders to spread further \u2014 but in our lab environment, it wasn\u2019t that lucky.&nbsp;<\/p>\n\n\n\n<p>Two things caught our attention immediately. First, on <a href=\"https:\/\/any.run\/cybersecurity-blog\/windows11-uac-bypass\/\" target=\"_blank\" rel=\"noreferrer noopener\">Windows 11<\/a>, the sample was unable to change the wallpaper for unknown reasons, while on <a href=\"https:\/\/any.run\/cybersecurity-blog\/windows-10-sandbox\/\" target=\"_blank\" rel=\"noreferrer noopener\">Windows 10<\/a> it worked flawlessly.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Second, although desktop files are the most visible, they are not the last to be encrypted. The process continues beyond them.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"359\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/6-1024x359.png\" alt=\"\" class=\"wp-image-14527\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/6-1024x359.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/6-300x105.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/6-768x270.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/6-1536x539.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/6-370x130.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/6-270x95.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/6-740x260.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/6.png 1960w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>SMB tra\ufb03c attempting to laterally spread the infection<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Ransom Note Issues and Deterministic Renaming&nbsp;<\/h3>\n\n\n\n<p>The ransom notes were not dropped as expected. Instead, every location where a note should have appeared contained, quite mysteriously, a file with a scrambled name and the .DEVMAN extension, suggesting the sample might be malfunctioning and targeting its own files.&nbsp;<\/p>\n\n\n\n<p>Fortunately, ANY.RUN logs all activity, not just network tra\ufb03c, but disk writes as well, allowing us to reconstruct one of those files right at the moment it was created. And, interestingly enough, the ransom note isn\u2019t just similar to the ones used by DragonForce. It is, in fact, a DragonForce ransom note.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"626\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/4-1024x626.png\" alt=\"\" class=\"wp-image-14528\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/4-1024x626.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/4-300x183.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/4-768x469.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/4-1536x939.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/4-2048x1252.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/4-370x226.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/4-270x165.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/4-740x452.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>A DragonForce ransom note<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>When retrieving the list of created and modified files, we noticed an interesting pattern: the sample scrambles file names instead of simply appending an extension.&nbsp;<\/p>\n\n\n\n<p>And here\u2019s the most curious part; its own readme.txt files, once encrypted, are always renamed to e47qfsnz2trbkhnt.devman. This strongly suggests the use of a deterministic function that produces static outputs for identical inputs.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"641\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/5-1024x641.png\" alt=\"\" class=\"wp-image-14529\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/5-1024x641.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/5-300x188.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/5-768x481.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/5-370x232.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/5-270x169.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/5-740x463.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/5.png 1498w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Encrypted Ransom notes, all sharing the same name<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Offline Behavior and Local Footprint&nbsp;<\/h3>\n\n\n\n<p>So, let&#8217;s focus on those local oddities, and a good place to start it&#8217;s the binary itself.&nbsp;<\/p>\n\n\n\n<p>Aside from the aforementioned SMB connections, no suspicious network dialogue was observed, suggesting that all malicious activity takes place locally and offline.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Using FLOSS, a tool by Mandiant, we can decode and extract additional strings to better understand the sample\u2019s internal logic prior to disassembly.&nbsp;<\/p>\n\n\n\n<p>The first thing we notice is that the sample checks for Shadow Copies (probably just to make sure we\u2019ve got a solid backup policy in place) and lists a series of file extensions that it deliberately avoids encrypting.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"2554\" height=\"1140\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/7-1024x457.png\" alt=\"\" class=\"wp-image-14530\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/7-1024x457.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/7-300x134.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/7-768x343.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/7-1536x686.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/7-2048x914.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/7-370x165.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/7-270x121.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/7-740x330.png 740w\" sizes=\"(max-width: 2554px) 100vw, 2554px\" \/><figcaption class=\"wp-element-caption\"><em>Decoded strings obtained via Floss<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Encryption Modes and File Targeting&nbsp;<\/h3>\n\n\n\n<p>Further analysis reveals multiple encryption modes: full encryption, header-only encryption, and custom encryption, designed to prioritize either speed or complexity, depending on the intended scenario.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Header-only <a href=\"https:\/\/any.run\/cybersecurity-blog\/encryption-algorithms-in-malware\/\" target=\"_blank\" rel=\"noreferrer noopener\">encryption<\/a>, in particular, allows the malware to corrupt large volumes of data in less time, trading completeness for speed.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"457\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/8-1024x457.png\" alt=\"\" class=\"wp-image-14531\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/8-1024x457.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/8-300x134.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/8-768x343.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/8-1536x686.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/8-2048x914.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/8-370x165.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/8-270x121.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/8-740x330.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>At least 3 di\ufb00erent encryption modes are available<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">SMB Spread and Local Targeting&nbsp;<\/h3>\n\n\n\n<p>Further exploration reveals a bit more detail about the sample\u2019s attempts to connect to SMB folders, explicitly referencing local network octets and hardcoding the ADMIN$ share name, along with several error and debug messages.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"457\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/9-1024x457.png\" alt=\"\" class=\"wp-image-14532\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/9-1024x457.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/9-300x134.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/9-768x343.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/9-1536x686.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/9-2048x914.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/9-370x165.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/9-270x121.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/9-740x330.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Octects belonging to local addresses and direct mention to the ADMIN share<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Persistence and File Lock Evasion via Restart Manager&nbsp;<\/h3>\n\n\n\n<p>Another interesting behaviour that further supports the Conti lineage of this sample is its interaction with the Windows Restart Manager. The malware creates temporary sessions under the registry key:&nbsp;<\/p>\n\n\n\n<p>HKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000&nbsp;<\/p>\n\n\n\n<p>There, it logs metadata such as Owner, SessionHash, RegFiles0000, and RegFilesHash, pointing to system-critical files like NTUSER.DAT and its corresponding logs.&nbsp;<\/p>\n\n\n\n<p>Each of these entries is quickly deleted after being written, likely an attempt to avoid leaving persistent forensic traces. This pattern mirrors behaviour seen in Conti and later carried on by DragonForce, which now appears to be inherited by DEVMAN (what a Zoo!).&nbsp;&nbsp;<\/p>\n\n\n\n<p>The goal seems clear: use the Restart Manager to bypass file locks and ensure encrypted access to active user session files. It\u2019s noisy, and somewhat old, but it works.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"988\" height=\"1024\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/10-988x1024.png\" alt=\"\" class=\"wp-image-14533\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/10-988x1024.png 988w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/10-290x300.png 290w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/10-768x796.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/10-1483x1536.png 1483w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/10-370x383.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/10-270x280.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/10-740x767.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/10.png 1724w\" sizes=\"(max-width: 988px) 100vw, 988px\" \/><figcaption class=\"wp-element-caption\"><em>Regkeys altered by the sample<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<!-- CTA Split START -->\n<div class=\"cta-split\">\n<div class=\"cta__split-left\">\n\n<!-- Image -->\n<img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/mcusercontent.com\/663b94f19348582a8dc323efe\/images\/0d88188b-3e89-2314-5a60-cb87e8077326.png\" alt=\"Learn to analyze malware in a sandbox\" class=\"cta__split-icon\" \/>\n<\/div>\n\n<div class=\"cta__split-right\">\n<div>\n\n<!-- Heading -->\n<h3 class=\"cta__split-heading\"><br>Learn to analyze cyber threats<\/h3>\n\n<!-- Text -->\n<p class=\"cta__split-text\">\nSee a detailed guide to using ANY.RUN&#8217;s <span class=\"highlight\">Interactive Sandbox<\/span> for malware and phishing analysis\n<br \/>\n<br \/>\n<\/p>\n<\/div>\n<!-- CTA Link -->\n<a target=\"_blank\" rel=\"noopener\" id=\"article-banner-split\" href=\"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-in-a-sandbox\/\"><div class=\"cta__split-link\">Read full guide<\/div><\/a>\n<\/div>\n<\/div>\n<!-- CTA Split END -->\n<!-- CTA Split Styles START -->\n<style>\n.cta-split {\noverflow: hidden;\nmargin: 3rem 0;\ndisplay: grid;\njustify-items: center;\nborder-radius: 0.5rem;\nwidth: 100%;\nmin-height: 25rem;\ngrid-template-columns: repeat(2, 1fr);\nborder: 1px solid rgba(75, 174, 227, 0.32);\nfont-family: 'Catamaran Bold';\n}\n\n.cta__split-left {\ndisplay: flex;\nalign-items: center;\njustify-content: center;\nheight: 100%;\nwidth: 100%;\nbackground-color: #161c59;\nbackground-position: center center;\nbackground: rgba(32, 168, 241, 0.1);\n}\n\n.cta__split-icon { \nwidth: 100%;\nheight: auto;\nobject-fit: contain;\nmax-width: 100%;\n}\n\n.cta__split-right {\ndisplay: flex;\nflex-direction: column;\njustify-content: space-between;\npadding: 2rem;\n}\n\n.cta__split-heading { font-size: 1.5rem; }\n\n.cta__split-text {\nmargin-top: 1rem;\nfont-family: Lato, Roboto, sans-serif;\n}\n\n.cta__split-link {\npadding: 0.5rem 1rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: white;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\ndisplay: block;\nz-index: 1000;\nposition: relative;\ncursor: pointer !important;\n}\n\n.cta__split-link:hover {\nbackground-color: #68CBFF;\ncolor: white;\ncursor: pointer;\n}\n\n.highlight { color: #ea2526;}\n\n\n\/* Mobile styles START *\/\n@media only screen and (max-width: 768px) {\n\n.cta-split {\ngrid-template-columns: 1fr;\nmin-height: auto;\n}\n\n.cta__split-left {\nheight: auto;\nmin-height: 10rem;\n}\n\n\n.cta__split-left, .cta__split-right {\nheight: auto;\n}\n\n.cta__split-heading { font-size: 1.2rem; }\n\n.cta__split-text { font-size: 1rem; }\n.cta__split-icon {\nmax-height: auto;\nobject-fit: cover;\n}\n\n}\n\/* Mobile styles END *\/\n<\/style>\n<!-- CTA Split Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\">Mutex Usage and Sample Coordination&nbsp;<\/h3>\n\n\n\n<p>Another notable behavior involves the use of synchronization primitives, particularly <a href=\"https:\/\/any.run\/cybersecurity-blog\/mutex-search-in-ti-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">mutexes<\/a>, to coordinate the sample\u2019s execution and possibly prevent multiple instances from running in parallel. This is standard among ransomware families derived from Conti, and this case is no exception.&nbsp;<\/p>\n\n\n\n<p>Right from the beginning, the sample creates a mutex named: hsfjuukjzloqu28oajh727190&nbsp;<\/p>\n\n\n\n<p>This mutex is not randomly generated; it is hardcoded into the binary, as confirmed by decoded strings extracted using FLOSS. Its presence suggests that the sample uses it to detect existing instances of itself, a basic anti-reentry mechanism.&nbsp;<\/p>\n\n\n\n<p>The sample also creates several mutexes and interacts with objects under the naming pattern:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Local\\RstrMgr[GUID]&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Local\\RstrMgr-[GUID]-Session0000&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>These mutexes are tied to the Windows Restart Manager API and match the behaviour seen in previous ransomware families (notably Conti and its derivatives), which use this mechanism to query which processes are holding handles to specific files.&nbsp;&nbsp;<\/p>\n\n\n\n<p>This facilitates forced encryption of locked resources, including user profile data like NTUSER.DAT.&nbsp;<\/p>\n\n\n\n<p>The reuse of fixed strings can serve as a strong <a href=\"https:\/\/any.run\/cybersecurity-blog\/iocs-iobs-ioas-explained\/\" target=\"_blank\" rel=\"noreferrer noopener\">indicator of compromise<\/a> (IOC) for future detection or correlation with other samples likely created using the same packer or builder. However, this is a volatile indicator that is likely to change over time.&nbsp;<\/p>\n\n\n\n<p>When possible, assign a \u201ctrust\u201d expiration date (or half-life) to indicators; it can be a valuable practice for maintaining detection accuracy over time.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"990\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/11-1024x990.png\" alt=\"\" class=\"wp-image-14541\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/11-1024x990.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/11-300x290.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/11-768x743.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/11-370x358.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/11-270x261.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/11-740x715.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/07\/11.png 1508w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Mutexes used by the sample<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\">Final Observations&nbsp;<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">An Experimental Build with Unusual Behavior&nbsp;<\/h3>\n\n\n\n<p>This sample looks more like an a\ufb03liate testing a new build than something currently being deployed that you\u2019d casually run into in a production environment. While not particularly sophisticated, it presents a number of unusual behaviors worth highlighting, particularly its tendency to encrypt its own ransom notes.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">A Critical Flaw in the Builder&nbsp;<\/h3>\n\n\n\n<p>While it\u2019s ironic that no one could, at least not easily, pay the ransom without knowing who to pay (because the ransom note gets encrypted), the underlying message here is more serious: there\u2019s a core design flaw in the builder that allows it to self-encrypt key components.&nbsp;&nbsp;<\/p>\n\n\n\n<p>That simple .txt file is often the only clue victims have to identify the threat actor and initiate negotiation; and for the threat actor, it\u2019s the best chance of getting paid.&nbsp;<\/p>\n\n\n\n<p>I spoke with DEVMAN, who stated &#8220;[&#8230;] we stopped using DragonForce months ago [&#8230;]&#8221;.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Threat Actor Communication&nbsp;<\/h3>\n\n\n\n<p>One noteworthy indicator of a threat actor\u2019s maturity is their ability to maintain polite, detailed, and respectful communication; a trait that also applies to DEVMAN. This attitude seems to echo in their technical approach, even in cases where their ransomware encrypts its own ransom notes.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">A Familiar Build Beneath the Surface&nbsp;<\/h3>\n\n\n\n<p>Now, if we strip this sample of its oddities, there&#8217;s not much to talk about it on its own merits (no o\ufb00ense meant to the developers), or at least nothing to say that we haven&#8217;t covered in other articles about ransomware.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Still, its oddities make it a valuable case study, not for technical innovation, but for the way it reflects shifting actor dynamics and common development pitfalls in the ransomware ecosystem.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Turning Oddities into Actionable Intelligence&nbsp;<\/h3>\n\n\n\n<p>Unusual samples like this DEVMAN variant can easily slip past traditional analysis workflows. With ransom note encrypted, scrambled filenames, and unexpected behavior across operating systems, manual investigation becomes time-consuming and risky to overlook.&nbsp;<\/p>\n\n\n\n<p>This is where ANY.RUN\u2019s Interactive Sandbox proves invaluable. By logging every action in real time, from file system changes to mutex creation and registry modifications, it enables analysts to trace even fragmented or malfunctioning ransomware behavior.&nbsp;&nbsp;<\/p>\n\n\n\n<p>This kind of visibility gives security teams a real operational advantage:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Faster detection and response: <\/strong>Immediate insight into threat behavior, even in offline or misconfigured attacks.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Clearer attribution: <\/strong>Links to reused infrastructure, code similarities, and TTP patterns are surfaced early.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>More efficient investigation workflows: <\/strong>Analysts can extract IOCs, map persistence mechanisms, and understand impact without switching tools.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Better collaboration across teams: <\/strong>Findings can be shared easily with SOCs, threat intel units, and communications teams, ensuring faster alignment during incidents.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><a href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=devman_analysis&amp;utm_term=010725&amp;utm_content=linktodemo\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Start 14-day trial of ANY.RUN\u2019s Interactive Sandbox in your SOC today<\/strong><\/a><strong><\/strong>&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">MITRE ATT&amp;CK Mapping&nbsp;<\/h2>\n\n\n\n<p>Let&#8217;s jump to drafting a quick <a href=\"https:\/\/any.run\/cybersecurity-blog\/malware-ttps-explained\/\" target=\"_blank\" rel=\"noreferrer noopener\">ATT&amp;CK matrix<\/a> for this sample, which ANYRUN does automatically for us:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>T1204.002 \u2013 User Execution: Malicious File&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>The executable requires user (or threat actor) interaction to launch.&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>T1053.005 \u2013 Scheduled Task\/Job: Scheduled Task&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Presence of scheduling-related strings implies possible persistence via tasking.&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>T1027 \u2013 Obfuscated Files or Information&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Internal file renaming and readme scrambling suggest static obfuscation logic.&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>T1070 \u2013 Indicator Removal on Host&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>The sample deletes registry keys and values shortly after writing them.&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>T1135 \u2013 Network Share Discovery&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Explicit scanning for SMB shares (ADMIN$, IP ranges like 192.x, 172.x).&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>6T1021.002 \u2013 SMB\/Windows Admin Shares&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Uses netapi32, srvcli, and netutils to interact with administrative shares.&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>T1005 \u2013 Data from Local System&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Enumerates and encrypts user data including NTUSER.DAT and log files.&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>T1486 \u2013 Data Encrypted for Impact&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Core functionality: encrypting files with .DEVMAN extension.&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>T1490 \u2013 Inhibit System Recovery&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Attempts to interact with volume shadow copies.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">IOCs&nbsp;<\/h2>\n\n\n\n<p>MD5:e84270afa3030b48dc9e0c53a35c65aa&nbsp;<\/p>\n\n\n\n<p>SHA256:df5ab9015833023a03f92a797e20196672c1d6525501a9f9a94a45b0904c7&nbsp;<\/p>\n\n\n\n<p>403&nbsp;<\/p>\n\n\n\n<p>FileName:hsfjuukjzloqu28oajh727190&nbsp;<\/p>\n\n\n\n<p>FileName:e47qfsnz2trbkhnt.devman&nbsp;<\/p>\n\n\n\n<p>SHA256:018494565257ef2b6a4e68f1c3e7573b87fc53bd5828c9c5127f31d37ea964f8&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">References&nbsp;<\/h2>\n\n\n\n<p>Analysis: <a href=\"https:\/\/app.any.run\/tasks\/64918027-01e6-415a-85b3-474fca5fc5c4\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=devman_analysis&amp;utm_term=010725&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/app.any.run\/tasks\/64918027-01e6-415a-85b3-474fca5fc5c4<\/a>&nbsp;<\/p>\n\n\n\n<p>VirusTotal Analysis (multiple labeling\/attribution): <a href=\"https:\/\/www.virustotal.com\/gui\/file\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">https:\/\/www.virustotal.com\/gui\/file\/<\/a>&nbsp;<\/p>\n\n\n\n<p>df5ab9015833023a03f92a797e20196672c1d6525501a9f9a94a45b0904c7403&nbsp;<\/p>\n\n\n\n<p>Original Intel Pulse (OTX): <a href=\"https:\/\/otx.alienvault.com\/pulse\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">https:\/\/otx.alienvault.com\/pulse\/<\/a>&nbsp;<\/p>\n\n\n\n<p>68535853fe15c\ufb0017229577d<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Editor\u2019s note: The current article is authored by Mauro Eldritch, offensive security expert and threat intelligence analyst. You can find Mauro on X.&nbsp; New ransomware strains continue to surface frequently, and many of them are loosely built on or repackaged from existing families. One such case involves a sample resembling DragonForce ransomware, yet bearing several [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":14536,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[57,10,34],"class_list":["post-14522","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-cybersecurity","tag-malware-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>DEVMAN Ransomware: Analysis of New DragonForce Variant\u00a0 - ANY.RUN&#039;s Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"Read a full technical breakdown of a new ransomware variant of the DragonForce RaaS operated by the Devman threat actor.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/devman-ransomware-analysis\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Mauro Eldritch\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/devman-ransomware-analysis\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/devman-ransomware-analysis\/\"},\"author\":{\"name\":\"Mauro Eldritch\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"DEVMAN Ransomware: Analysis of New DragonForce Variant\u00a0\",\"datePublished\":\"2025-07-01T09:47:55+00:00\",\"dateModified\":\"2025-07-08T10:31:10+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/devman-ransomware-analysis\/\"},\"wordCount\":2348,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware analysis\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/devman-ransomware-analysis\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/devman-ransomware-analysis\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/devman-ransomware-analysis\/\",\"name\":\"DEVMAN Ransomware: Analysis of New DragonForce Variant\u00a0 - ANY.RUN&#039;s Cybersecurity Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2025-07-01T09:47:55+00:00\",\"dateModified\":\"2025-07-08T10:31:10+00:00\",\"description\":\"Read a full technical breakdown of a new ransomware variant of the DragonForce RaaS operated by the Devman threat actor.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/devman-ransomware-analysis\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/devman-ransomware-analysis\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/devman-ransomware-analysis\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"DEVMAN Ransomware: Analysis of New DragonForce Variant\u00a0\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"Mauro Eldritch\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/01\/Mauro-copy.jpeg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/01\/Mauro-copy.jpeg\",\"caption\":\"Mauro Eldritch\"},\"description\":\"Mauro Eldritch is an Argentinian-Uruguayan hacker, founder of BCA LTD and DC5411 (Argentina \/ Uruguay). He has spoken at various events, including DEF CON (12 times). He is passionate about Threat Intelligence and Biohacking.\u00a0He currently leads Bitso\u2019s Quetzal Team, the first in Latin America dedicated to Web3 Threat Research. Follow Mauro on: X LinkedIn GitHub\",\"url\":\"#molongui-disabled-link\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"DEVMAN Ransomware: Analysis of New DragonForce Variant\u00a0 - ANY.RUN&#039;s Cybersecurity Blog","description":"Read a full technical breakdown of a new ransomware variant of the DragonForce RaaS operated by the Devman threat actor.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/devman-ransomware-analysis\/","twitter_misc":{"Written by":"Mauro Eldritch","Est. reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/devman-ransomware-analysis\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/devman-ransomware-analysis\/"},"author":{"name":"Mauro Eldritch","@id":"https:\/\/any.run\/"},"headline":"DEVMAN Ransomware: Analysis of New DragonForce Variant\u00a0","datePublished":"2025-07-01T09:47:55+00:00","dateModified":"2025-07-08T10:31:10+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/devman-ransomware-analysis\/"},"wordCount":2348,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware analysis"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/devman-ransomware-analysis\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/devman-ransomware-analysis\/","url":"https:\/\/any.run\/cybersecurity-blog\/devman-ransomware-analysis\/","name":"DEVMAN Ransomware: Analysis of New DragonForce Variant\u00a0 - ANY.RUN&#039;s Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2025-07-01T09:47:55+00:00","dateModified":"2025-07-08T10:31:10+00:00","description":"Read a full technical breakdown of a new ransomware variant of the DragonForce RaaS operated by the Devman threat actor.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/devman-ransomware-analysis\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/devman-ransomware-analysis\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/devman-ransomware-analysis\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"DEVMAN Ransomware: Analysis of New DragonForce Variant\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"Mauro Eldritch","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/01\/Mauro-copy.jpeg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/01\/Mauro-copy.jpeg","caption":"Mauro Eldritch"},"description":"Mauro Eldritch is an Argentinian-Uruguayan hacker, founder of BCA LTD and DC5411 (Argentina \/ Uruguay). He has spoken at various events, including DEF CON (12 times). He is passionate about Threat Intelligence and Biohacking.\u00a0He currently leads Bitso\u2019s Quetzal Team, the first in Latin America dedicated to Web3 Threat Research. Follow Mauro on: X LinkedIn GitHub","url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/14522"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=14522"}],"version-history":[{"count":19,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/14522\/revisions"}],"predecessor-version":[{"id":14615,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/14522\/revisions\/14615"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/14536"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=14522"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=14522"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=14522"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}