A sophisticated new ransomware variant identified as DEVMAN has emerged from the DragonForce ransomware-as-a-service ecosystem, targeting both Windows 10 and Windows 11 systems with notable behavioral differences between operating system versions. The DEVMAN ransomware operates as a lightly customized DragonForce variant, utilizing the distinctive .DEVMAN file extension for encrypted data while maintaining core infrastructure elements from its parent family. While its current implementation contains critical flaws that limit operational effectiveness, the underlying technical sophistication suggests continued evolution toward more refined deployment capabilities targeting enterprise environments across multiple Windows platforms. This evasion strategy proves particularly effective against traditional security solutions that may not monitor rapid registry modifications or correlate them with file system changes occurring simultaneously across multiple system locations. This hybrid malware represents a concerning evolution in the ransomware landscape, combining the established DragonForce codebase with unique modifications that create distinct operational signatures. This technique allows the malware to bypass file locks and ensure encrypted access to active user session files, including critical system components like NTUSER.DAT and associated log files. The DEVMAN ransomware employs sophisticated persistence tactics through exploitation of the Windows Restart Manager API, creating temporary registry sessions under the key path HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000. The DEVMAN ransomware represents a concerning development in the ransomware ecosystem, demonstrating how established criminal infrastructure enables rapid variant creation. The malware’s attack methodology involves rapid file encryption with three distinct modes: full encryption for comprehensive data corruption, header-only encryption for speed optimization, and custom encryption for targeted scenarios. Any.Run researchers identified the malware through comprehensive sandbox analysis, revealing its complex inheritance from the Conti ransomware framework that forms DragonForce’s foundation. Registry entries are systematically created and deleted within milliseconds, likely attempting to minimize forensic traces while maintaining the necessary system access for encryption operations. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The malware demonstrates sophisticated targeting capabilities, with over 40 claimed victims primarily concentrated in Asia and Africa, though incidents have been reported across Latin America and Europe. This behavior, combined with deterministic file renaming patterns, suggests the involvement of an immature builder or development process that hasn’t been thoroughly tested in production environments. Network analysis reveals minimal command-and-control communication, with most malicious activity occurring offline except for SMB reconnaissance attempts targeting administrative shares within local network ranges. The analysis uncovered a critical design flaw where the ransomware encrypts its own ransom notes, effectively sabotaging its own payment mechanism. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 02 Jul 2025 09:45:16 +0000