An unusual DragonForce ransomware variant tied to the emerging DEVMAN threat actor was detailed in
an ANY.RUN blog post Tuesday.
DEVMAN has claimed nearly 40 victims since they first appeared on the ransomware scene, according to ANY.RUN.
The group have been active since at least May 2025, when they claimed 13 victims in one month, placing them just behind the top five groups for ransomware attack volume that month,
according to Cyble.
An analysis by offensive security expert and threat intelligence analyst Mauro Eldritch reveals details about custom ransomware created by DEVMAN and its ties to the DragonForce and Conti ransomware-as-a-service (RaaS) gangs.
Both familiar features and ‘oddities’ found in DEVMAN ransomware sample
The DragonForce (RaaS) group allows its affiliates to create their own custom variants, which can muddle analysis and attribution as many spinoffs with different indicators of compromise (IoCs) emerge.
The DEVMAN variant, uploaded to VirusTotal by TheRavenFile, is detected by most antivirus tools as DragonForce or Conti ransomware. This reflects the evolution of ransomware strains over time, as DEVMAN is based on DragonForce, which itself is based on Conti.
DEVMAN maintains similar features to its DragonForce and Conti ancestors; for example, the ransom note used by DEVMAN is identical to that used by DragonForce.
Additionally, DEVMAN uses the Windows Restart Manager to help encrypt locked files in the same manner as both DragonForce and Conti before it.
The ransomware creates a temporary Windows Restart Manager session that logs metadata for critical files, enabling it to bypass file locks, before quickly deleting the entries to cover its tracks.
The DragonForce variant also uses mutexes associated with the Windows Restart Manager API to identify which processes are locking specific files, and employs a hardcoded mutex to prevent reinfection by the same sample; this use of mutexes is also characteristic of Conti family ransomware strains, Eldritch explains.
Along with these similarities, the DEVMAN sample also includes “oddities” that appear to reflect development errors, Eldritch says. For example, the ransomware encrypts its own ransom note, making it inaccessible to the victim, and changes the wallpaper on Windows 10 but fails to do so on Windows 11.
Another quirk is the renaming of encrypted files with seemingly random numbers and letters in addition to appending them with the “.devman” file extension. The malware appears to work almost completely offline, other than attempted lateral movement via Server Message Block (SMB) shared files, and comes with three encryption modes: full, header-only and custom.
Ransom ecosystem continues to shift
Both DEVMAN and DragonForce have a history of entanglements with other groups; DragonForce previously
claimed to have taken over the RansomHub gang after its sudden disappearance and also
defaced the leak sites of the BlackLock and Mamona ransomware groups. The RaaS operation recently introduced a
“cartel” model that provides affiliates with additional access to shared tooling and infrastructure.
In addition to DragonForce, DEVMAN has also worked with the Qilin, Apos and RansomHub gangs,
according to Cyble. DEVMAN told Eldritch they had not used DragonForce ransomware in months, according to the ANY.RUN blog post.
Constantly evolving ransomware strains and RaaS ecosystem relationships highlight the value of interactive sandboxing for deeper analysis and clearer attribution of unusual variants like DEVMAN.
