DEVMAN Ransomware: Analysis of New DragonForce Variant
NetmanageIT OpenCTI - opencti.netmanageit.com
SUMMARY :
A new ransomware strain resembling DragonForce but with unique traits has emerged, possibly connected to an entity called DEVMAN. The sample reuses DragonForce code but adds its own elements, including the .DEVMAN file extension. Attribution is unclear, as the ransom note is identical to DragonForce's. The malware operates offline, probes for SMB connections, and uses three encryption modes. It exhibits different behaviors on Windows 10 and 11, particularly in changing wallpapers. The ransomware encrypts its own ransom notes, likely due to a builder flaw. DEVMAN claims to have stopped using DragonForce months ago, suggesting this may be an experimental or outdated build.
OPENCTI LABELS :
ransomware,raas,conti,dragonforce,mamona,blacklock,devman
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
DEVMAN Ransomware: Analysis of New DragonForce Variant