Overview

Devman is an emerging ransomware variant linked to the DragonForce Ransomware-as-a-Service (RaaS) operation and built on code originating from the Conti group. Although still under active development, it already incorporates sophisticated encryption capabilities and has been observed targeting major enterprises and critical infrastructure sectors.

Bottom Line

• File Extension: .DEVMAN 
• Ransom Note: !!!_README_!!!.txt 
• Encryption: Can lock entire files or just parts 
• Persistence: Uses Windows Restart Manager to keep files locked 
• Spread: Scans shared folders (SMB) to move through networks 
• Data Theft: Uses Rclone to steal files before encryption 

How It Works (Simplified)   

• Encrypts Data: Makes files unusable until ransom is paid. 
• Uses Real Accounts: Hackers log in with stolen usernames/passwords. 
• Deletes Backups: Removes recovery options so you can’t restore easily. 
• Phishing: Often starts with a fake email link or attachment. 

Defense Tips 

• Watch for unusual SMB traffic. 

• Block Remote Desktop (RDP) if not needed. 

• Detect .DEVMAN files and related registry keys. 

• Keep offline backups. 
  
  
• Use advanced security tools (EDR/XDR). 

Bottom Line

Devman represents a significant and rapidly developing threat in the current ransomware landscape. Its growing technical sophistication, combined with increasingly aggressive methods of compromise and deployment, underscores the need for organizations to strengthen their preventive security measures. Effective preparation now requires not only robust defenses but also well-practiced incident response plans to ensure swift action if Devman attempts to infiltrate an environment.

Contact us today to learn more about our Digital Forensics and Incident Response (DFIR) services.