{ "id": "20ffc7e0-ca82-45bb-922b-41dbac7f1cd0", "created_at": "2026-04-06T00:06:12.318342Z", "updated_at": "2026-04-10T03:26:36.645635Z", "deleted_at": null, "sha1_hash": "2e74b32e7bb6718afa38566937336bc5bc1c6c50", "title": "DEVMAN Ransomware: Analysis of New DragonForce Variant  - ANY.RUN's Cybersecurity Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 440537, "plain_text": "DEVMAN Ransomware: Analysis of New DragonForce Variant  -\r\nANY.RUN's Cybersecurity Blog\r\nBy Mauro Eldritch\r\nArchived: 2026-04-05 16:34:07 UTC\r\nEditor’s note: The current article is authored by Mauro Eldritch, offensive security expert and threat intelligence\r\nanalyst. You can find Mauro on X. \r\nNew ransomware strains continue to surface frequently, and many of them are loosely built on or repackaged from\r\nexisting families. One such case involves a sample resembling DragonForce ransomware, yet bearing several\r\nunique traits and identifiers suggesting the involvement of a separate entity known as DEVMAN. \r\nA previously analyzed campaign connected to the Mamona strain, itself linked to BlackLock affiliates and the\r\nEmbargo group, also intersected with DragonForce activity. DragonForce published BlackLock’s .env file, not just\r\nany target. This is the first case where we saw two gangs actively and publicly attacking each other.\r\nThis newer sample, uploaded by TheRavenFile, appears related but not entirely identical to the DragonForce\r\nlineage. Despite being labeled as a DragonForce or Conti variant by most AV engines, the sample displays unique\r\nbehaviors that point toward DEVMAN involvement. \r\nOur DragonForce/Conti sample on VT, but don’t be fooled by appearances \r\nDEVMAN: Key Takeaways \r\nhttps://any.run/cybersecurity-blog/devman-ransomware-analysis/\r\nPage 1 of 14\n\nDEVMAN reuses DragonForce code but adds its own twists: The .DEVMAN extension and unique\r\nstrings sit on top of a mostly DragonForce codebase. \r\nAttribution is muddy: The sample does not contain any leak-site links to DEVMAN, while the ransom\r\nnote is strictly a copy of the DragonForce one.\r\nDragonForce’s RaaS model allows affiliates to create spinoff variants: \r\nThat’s likely how samples like DEVMAN emerged; built on DragonForce code, but customized and\r\nrepackaged. \r\nRansom notes encrypt themselves: This happens likely due to a builder flaw \r\nMost malicious activity takes place offline, aside from SMB probing: No external C2 communication\r\nwas observed during analysis. \r\nThree encryption modes are built in: full, header-only, and custom. \r\nBehavior varies by OS: Wallpaper change fails on Windows 11 but works on Windows 10. \r\nDragons as a Service \r\nSome time ago, DragonForce introduced their RaaS (Ransomware-as-a-Service) model, aiming to recruit both\r\naffiliates to operate their ransomware and others who wanted to use their infrastructure, branding, and reputation\r\nas a platform to publish stolen data.  \r\nThis shift brought new actors into the landscape, increasing overall activity, noise, and irregularities, including the\r\nsample analyzed here. Depending on the analyst or tool, it may be labeled as DragonForce, Conti (the base\r\nframework for DragonForce), or DEVMAN. \r\nDEVMAN? A relatively new actor has recently emerged under this name, featuring its own Dedicated Leak Site\r\n(DLS) called Devman’s Place, a separate infrastructure, and nearly 40 claimed victims, primarily in Asia and\r\nAfrica, with occasional incidents in Latin America and Europe. \r\nA Hybrid Ransomware Sample \r\nLet’s analyze the sample inside ANY.RUN’s secure interactive sandbox: \r\nView analysis session  \r\nThis sample, flagged by most antivirus engines as a DragonForce (or Conti), is actually, modified to behave like a\r\nnew variant belonging to DEVMAN. It uses that name as the file extension for encrypted data but otherwise\r\nshares a large part of its codebase with DragonForce, including leftover strings and identifiers. That strongly\r\nsuggests DEVMAN may be using a DragonForce build for some of its operations. \r\nhttps://any.run/cybersecurity-blog/devman-ransomware-analysis/\r\nPage 2 of 14\n\nEncrypted file with the .DEVMAN extension \r\nThis appears to be a lightly customized version; one that hasn’t attracted much attention, either from the threat\r\nintelligence community or from its own operator. The result is a tangled ransomware crossbreed with overlapping\r\ntraits.  \r\nAutomatic detection labels the sample as “DragonForce” \r\nA closer look reveals more. \r\nInitial Behavior and Detection \r\nFirst things first — our newborn dragon does what dragons do: it burns down the village. Files are encrypted\r\nrapidly and automatically, also attempting to locate SMB shared folders to spread further — but in our lab\r\nenvironment, it wasn’t that lucky. \r\nhttps://any.run/cybersecurity-blog/devman-ransomware-analysis/\r\nPage 3 of 14\n\nTwo things caught our attention immediately. First, on Windows 11, the sample was unable to change the\r\nwallpaper for unknown reasons, while on Windows 10 it worked flawlessly.  \r\nSecond, although desktop files are the most visible, they are not the last to be encrypted. The process continues\r\nbeyond them. \r\nSMB traffic attempting to laterally spread the infection \r\nRansom Note Issues and Deterministic Renaming \r\nThe ransom notes were not dropped as expected. Instead, every location where a note should have appeared\r\ncontained, quite mysteriously, a file with a scrambled name and the .DEVMAN extension, suggesting the sample\r\nmight be malfunctioning and targeting its own files. \r\nFortunately, ANY.RUN logs all activity, not just network traffic, but disk writes as well, allowing us to reconstruct\r\none of those files right at the moment it was created. And, interestingly enough, the ransom note isn’t just similar\r\nto the ones used by DragonForce. It is, in fact, a DragonForce ransom note. \r\nA DragonForce ransom note \r\nhttps://any.run/cybersecurity-blog/devman-ransomware-analysis/\r\nPage 4 of 14\n\nWhen retrieving the list of created and modified files, we noticed an interesting pattern: the sample scrambles file\r\nnames instead of simply appending an extension. \r\nAnd here’s the most curious part; its own readme.txt files, once encrypted, are always renamed to\r\ne47qfsnz2trbkhnt.devman. This strongly suggests the use of a deterministic function that produces static outputs\r\nfor identical inputs. \r\nEncrypted Ransom notes, all sharing the same name \r\nOffline Behavior and Local Footprint \r\nSo, let’s focus on those local oddities, and a good place to start it’s the binary itself. \r\nAside from the aforementioned SMB connections, no suspicious network dialogue was observed, suggesting that\r\nall malicious activity takes place locally and offline.  \r\nUsing FLOSS, a tool by Mandiant, we can decode and extract additional strings to better understand the sample’s\r\ninternal logic prior to disassembly. \r\nThe first thing we notice is that the sample checks for Shadow Copies (probably just to make sure we’ve got a\r\nsolid backup policy in place) and lists a series of file extensions that it deliberately avoids encrypting. \r\nhttps://any.run/cybersecurity-blog/devman-ransomware-analysis/\r\nPage 5 of 14\n\nDecoded strings obtained via Floss \r\nEncryption Modes and File Targeting \r\nFurther analysis reveals multiple encryption modes: full encryption, header-only encryption, and custom\r\nencryption, designed to prioritize either speed or complexity, depending on the intended scenario.  \r\nHeader-only encryption, in particular, allows the malware to corrupt large volumes of data in less time, trading\r\ncompleteness for speed. \r\nAt least 3 different encryption modes are available \r\nSMB Spread and Local Targeting \r\nFurther exploration reveals a bit more detail about the sample’s attempts to connect to SMB folders, explicitly\r\nreferencing local network octets and hardcoding the ADMIN$ share name, along with several error and debug\r\nmessages. \r\nhttps://any.run/cybersecurity-blog/devman-ransomware-analysis/\r\nPage 6 of 14\n\nOctects belonging to local addresses and direct mention to the ADMIN share \r\nPersistence and File Lock Evasion via Restart Manager \r\nAnother interesting behaviour that further supports the Conti lineage of this sample is its interaction with the\r\nWindows Restart Manager. The malware creates temporary sessions under the registry key: \r\nHKEY_CURRENT_USER\\Software\\Microsoft\\RestartManager\\Session0000 \r\nThere, it logs metadata such as Owner, SessionHash, RegFiles0000, and RegFilesHash, pointing to system-critical\r\nfiles like NTUSER.DAT and its corresponding logs. \r\nEach of these entries is quickly deleted after being written, likely an attempt to avoid leaving persistent forensic\r\ntraces. This pattern mirrors behaviour seen in Conti and later carried on by DragonForce, which now appears to be\r\ninherited by DEVMAN (what a Zoo!).  \r\nThe goal seems clear: use the Restart Manager to bypass file locks and ensure encrypted access to active user\r\nsession files. It’s noisy, and somewhat old, but it works. \r\nhttps://any.run/cybersecurity-blog/devman-ransomware-analysis/\r\nPage 7 of 14\n\nRegkeys altered by the sample \r\nhttps://any.run/cybersecurity-blog/devman-ransomware-analysis/\r\nPage 8 of 14\n\nLearn to analyze cyber threats\r\nSee a detailed guide to using ANY.RUN’s Interactive Sandbox for malware and phishing analysis\r\nRead full guide\r\nMutex Usage and Sample Coordination \r\nAnother notable behavior involves the use of synchronization primitives, particularly mutexes, to coordinate the\r\nsample’s execution and possibly prevent multiple instances from running in parallel. This is standard among\r\nransomware families derived from Conti, and this case is no exception. \r\nRight from the beginning, the sample creates a mutex named: hsfjuukjzloqu28oajh727190 \r\nThis mutex is not randomly generated; it is hardcoded into the binary, as confirmed by decoded strings extracted\r\nusing FLOSS. Its presence suggests that the sample uses it to detect existing instances of itself, a basic anti-reentry\r\nmechanism. \r\nThe sample also creates several mutexes and interacts with objects under the naming pattern: \r\nLocal\\RstrMgr[GUID] \r\nhttps://any.run/cybersecurity-blog/devman-ransomware-analysis/\r\nPage 9 of 14\n\nLocal\\RstrMgr-[GUID]-Session0000 \r\nThese mutexes are tied to the Windows Restart Manager API and match the behaviour seen in previous\r\nransomware families (notably Conti and its derivatives), which use this mechanism to query which processes are\r\nholding handles to specific files.  \r\nThis facilitates forced encryption of locked resources, including user profile data like NTUSER.DAT. \r\nThe reuse of fixed strings can serve as a strong indicator of compromise (IOC) for future detection or correlation\r\nwith other samples likely created using the same packer or builder. However, this is a volatile indicator that is\r\nlikely to change over time. \r\nWhen possible, assign a “trust” expiration date (or half-life) to indicators; it can be a valuable practice for\r\nmaintaining detection accuracy over time. \r\nMutexes used by the sample \r\nFinal Observations \r\nAn Experimental Build with Unusual Behavior \r\nhttps://any.run/cybersecurity-blog/devman-ransomware-analysis/\r\nPage 10 of 14\n\nThis sample looks more like an affiliate testing a new build than something currently being deployed that you’d\r\ncasually run into in a production environment. While not particularly sophisticated, it presents a number of\r\nunusual behaviors worth highlighting, particularly its tendency to encrypt its own ransom notes. \r\nA Critical Flaw in the Builder \r\nWhile it’s ironic that no one could, at least not easily, pay the ransom without knowing who to pay (because the\r\nransom note gets encrypted), the underlying message here is more serious: there’s a core design flaw in the builder\r\nthat allows it to self-encrypt key components.  \r\nThat simple .txt file is often the only clue victims have to identify the threat actor and initiate negotiation; and for\r\nthe threat actor, it’s the best chance of getting paid. \r\nI spoke with DEVMAN, who stated “[…] we stopped using DragonForce months ago […]”. \r\nThreat Actor Communication \r\nOne noteworthy indicator of a threat actor’s maturity is their ability to maintain polite, detailed, and respectful\r\ncommunication; a trait that also applies to DEVMAN. This attitude seems to echo in their technical approach,\r\neven in cases where their ransomware encrypts its own ransom notes. \r\nA Familiar Build Beneath the Surface \r\nNow, if we strip this sample of its oddities, there’s not much to talk about it on its own merits (no offense meant to\r\nthe developers), or at least nothing to say that we haven’t covered in other articles about ransomware.  \r\nStill, its oddities make it a valuable case study, not for technical innovation, but for the way it reflects shifting\r\nactor dynamics and common development pitfalls in the ransomware ecosystem. \r\nTurning Oddities into Actionable Intelligence \r\nUnusual samples like this DEVMAN variant can easily slip past traditional analysis workflows. With ransom note\r\nencrypted, scrambled filenames, and unexpected behavior across operating systems, manual investigation\r\nbecomes time-consuming and risky to overlook. \r\nThis is where ANY.RUN’s Interactive Sandbox proves invaluable. By logging every action in real time, from file\r\nsystem changes to mutex creation and registry modifications, it enables analysts to trace even fragmented or\r\nmalfunctioning ransomware behavior.  \r\nThis kind of visibility gives security teams a real operational advantage: \r\nFaster detection and response: Immediate insight into threat behavior, even in offline or misconfigured\r\nattacks. \r\nClearer attribution: Links to reused infrastructure, code similarities, and TTP patterns are surfaced early. \r\nhttps://any.run/cybersecurity-blog/devman-ransomware-analysis/\r\nPage 11 of 14\n\nMore efficient investigation workflows: Analysts can extract IOCs, map persistence mechanisms, and\r\nunderstand impact without switching tools. \r\nBetter collaboration across teams: Findings can be shared easily with SOCs, threat intel units, and\r\ncommunications teams, ensuring faster alignment during incidents. \r\nStart 14-day trial of ANY.RUN’s Interactive Sandbox in your SOC today \r\nMITRE ATT\u0026CK Mapping \r\nLet’s jump to drafting a quick ATT\u0026CK matrix for this sample, which ANYRUN does automatically for us: \r\nT1204.002 – User Execution: Malicious File \r\nThe executable requires user (or threat actor) interaction to launch. \r\nT1053.005 – Scheduled Task/Job: Scheduled Task \r\nPresence of scheduling-related strings implies possible persistence via tasking. \r\nT1027 – Obfuscated Files or Information \r\nInternal file renaming and readme scrambling suggest static obfuscation logic. \r\nT1070 – Indicator Removal on Host \r\nThe sample deletes registry keys and values shortly after writing them. \r\nT1135 – Network Share Discovery \r\nExplicit scanning for SMB shares (ADMIN$, IP ranges like 192.x, 172.x). \r\n6T1021.002 – SMB/Windows Admin Shares \r\nUses netapi32, srvcli, and netutils to interact with administrative shares. \r\nT1005 – Data from Local System \r\nEnumerates and encrypts user data including NTUSER.DAT and log files. \r\nT1486 – Data Encrypted for Impact \r\nCore functionality: encrypting files with .DEVMAN extension. \r\nT1490 – Inhibit System Recovery \r\nAttempts to interact with volume shadow copies. \r\nIOCs \r\nhttps://any.run/cybersecurity-blog/devman-ransomware-analysis/\r\nPage 12 of 14\n\nMD5:e84270afa3030b48dc9e0c53a35c65aa \r\nSHA256:df5ab9015833023a03f92a797e20196672c1d6525501a9f9a94a45b0904c7 \r\n403 \r\nFileName:hsfjuukjzloqu28oajh727190 \r\nFileName:e47qfsnz2trbkhnt.devman \r\nSHA256:018494565257ef2b6a4e68f1c3e7573b87fc53bd5828c9c5127f31d37ea964f8 \r\nReferences \r\nAnalysis: https://app.any.run/tasks/64918027-01e6-415a-85b3-474fca5fc5c4 \r\nVirusTotal Analysis (multiple labeling/attribution): https://www.virustotal.com/gui/file/ \r\ndf5ab9015833023a03f92a797e20196672c1d6525501a9f9a94a45b0904c7403 \r\nOriginal Intel Pulse (OTX): https://otx.alienvault.com/pulse/ \r\n68535853fe15cff17229577d\r\nMauro\r\nMauro Eldritch\r\nMauro Eldritch is an Argentinian-Uruguayan hacker, founder of BCA LTD and DC5411 (Argentina / Uruguay).\r\nHe has spoken at various events, including DEF CON (12 times). He is passionate about Threat Intelligence and\r\nBiohacking. He currently leads Bitso’s Quetzal Team, the first in Latin America dedicated to Web3 Threat\r\nResearch.\r\nFollow Mauro on:\r\nX\r\nLinkedIn\r\nGitHub\r\nMauro Eldritch is an Argentinian-Uruguayan hacker, founder of BCA LTD and DC5411 (Argentina / Uruguay).\r\nHe has spoken at various events, including DEF CON (12 times). He is passionate about Threat Intelligence and\r\nBiohacking. He currently leads Bitso’s Quetzal Team, the first in Latin America dedicated to Web3 Threat\r\nResearch.\r\nFollow Mauro on:\r\nX\r\nLinkedIn\r\nGitHub\r\nhttps://any.run/cybersecurity-blog/devman-ransomware-analysis/\r\nPage 13 of 14\n\nSource: https://any.run/cybersecurity-blog/devman-ransomware-analysis/\r\nhttps://any.run/cybersecurity-blog/devman-ransomware-analysis/\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://any.run/cybersecurity-blog/devman-ransomware-analysis/" ], "report_names": [ "devman-ransomware-analysis" ], "threat_actors": [ { "id": "6608b798-f92b-42af-a93f-d72800eeb3a3", "created_at": "2023-11-30T02:00:07.292Z", "updated_at": "2026-04-10T02:00:03.482199Z", "deleted_at": null, "main_name": "DragonForce", "aliases": [], "source_name": "MISPGALAXY:DragonForce", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "843f4240-33a7-4de4-8dcf-4ff9f9a8c758", "created_at": "2025-07-24T02:05:00.538379Z", "updated_at": "2026-04-10T02:00:03.657424Z", "deleted_at": null, "main_name": "GOLD FLAME", "aliases": [ "DragonForce" ], "source_name": "Secureworks:GOLD FLAME", "tools": [ "ADFind", "AnyDesk", "Cobalt Strike", "FileSeek", "Mimikatz", "SoftPerfect Network Scanner", "SystemBC", "socks.exe" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775433972, "ts_updated_at": 1775791596, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2e74b32e7bb6718afa38566937336bc5bc1c6c50.pdf", "text": "https://archive.orkl.eu/2e74b32e7bb6718afa38566937336bc5bc1c6c50.txt", "img": "https://archive.orkl.eu/2e74b32e7bb6718afa38566937336bc5bc1c6c50.jpg" } }