APT / THREAT GROUP💰 FINANCIALHIGH

DEVMAN

2
aliases
Last seen:Mar 17, 2026

Intelligence Profile

DEVMAN is a ransomware which shares a large part of its codebase with DragonForce ransomware. It is highly probable that the group used a DragonForce ransomware build and simply changed the extension added to the encrypted files (from .dragonforce_encrypted to .devman). In one of the first observed samples, the ransom note still claimed to be part of the DragonForce Ransomware Cartel.

The ransomware implements common features such as the deletion of ShadowCopies, and avoid encrypting files with some extensions present in a hard-coded list. The ransomware implements multiple encryption modes:

- Full encryption

- Header-only encryption

- Custom encryption

These modes allow the operator to choose between a quick or a strong encryption depending on the scenario. The ransomware also tries to connect to SMB folders.

DEVMAN ransomware creates a temporary session under the following registry key: `HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000`. The use of the Restart Manager to bypass file locks and ensure encrypted access to active user session files. This capability seems to be a legacy of Conti ransomware, which inspired DragonForce and DEVMAN. As part of this legacy, the ransomware use a hard-coded mutex to prevent multiple instances from running in parallel.

Threat Analysis

DEVMAN is a high-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of financial.

Financially motivated threat actors like DEVMAN prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.

With high sophistication, DEVMAN is capable of targeted intrusions using adapted commodity tools alongside custom implants, maintaining operational security and evading standard detection mechanisms.

External References

Quick Facts

TypeAPT / Threat Group
Motivation💰 financial
Sophisticationhigh
Aliases2

Also Known As

DEVMANwin.devman

External Intelligence

Malpedia: win.devman

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.