DUBAI, DUBAI, UNITED ARAB EMIRATES, July 1, 2025 /EINPresswire.com/ -- ANY.RUN, a trusted provider of cybersecurity solutions, has published a new technical analysis revealing a ransomware variant that blends traits of DragonForce and Conti families with indicators of a newer actor known as DEVMAN.

๐ƒ๐„๐•๐Œ๐€๐: ๐€ ๐๐ž๐ฐ ๐“๐ก๐ซ๐ž๐š๐ญ ๐€๐œ๐ญ๐จ๐ซ ๐“๐š๐ซ๐ ๐ž๐ญ๐ข๐ง๐ ๐„๐ง๐ญ๐ž๐ซ๐ฉ๐ซ๐ข๐ฌ๐ž๐ฌ

DEVMAN is a relatively new actor has recently emerged under this name, featuring its own Dedicated Leak Site (DLS) called Devmanโ€™s Place, a separate infrastructure, and nearly 40 claimed victims, primarily in Asia and Africa, with occasional incidents in Latin America and Europe.

๐ƒ๐„๐•๐Œ๐€๐ ๐‘๐š๐ง๐ฌ๐จ๐ฆ๐ฐ๐š๐ซ๐ž: ๐€ ๐‡๐ฒ๐›๐ซ๐ข๐ ๐“๐ก๐ซ๐ž๐š๐ญ

The analyzed sample, initially labeled as DragonForce by antivirus engines, was revealed to be a lightly modified build. It appends the โ€œ.DEVMANโ€ extension to encrypted files, scrambles filenames using a deterministic function, and, due to a builder flaw, encrypts its own ransom notes before victims can read them.

๐Š๐ž๐ฒ ๐ ๐ข๐ง๐๐ข๐ง๐ ๐ฌ ๐จ๐Ÿ ๐ญ๐ก๐ž ๐ƒ๐„๐•๐Œ๐€๐ ๐€๐ง๐š๐ฅ๐ฒ๐ฌ๐ข๐ฌ ๐ˆ๐ง๐œ๐ฅ๐ฎ๐๐ž:

ยท ๐—Ÿ๐—ผ๐—ฐ๐—ฎ๐—น ๐—ฒ๐˜ ๐—ฒ๐—ฐ๐˜‚๐˜๐—ถ๐—ผ๐—ป: No external C2 traffic was detected; all behavior is confined to the local system.

ยท ๐—ฆ๐— ๐—• ๐—ฝ๐—ฟ๐—ผ๐—ฏ๐—ถ๐—ป๐—ด: The sample attempts to access hardcoded SMB shares such as ADMIN$.

ยท ๐—–๐—ผ๐—ป๐˜๐—ถ-๐˜€๐˜๐˜†๐—น๐—ฒ ๐—ฝ๐—ฒ๐—ฟ๐˜€๐—ถ๐˜€๐˜๐—ฒ๐—ป๐—ฐ๐—ฒ: The use of mutexes and the Windows Restart Manager mirrors tactics from Conti and DragonForce campaigns.

To explore the full technical breakdown and see how DEVMAN behaves inside the sandbox, visit the ANY.RUN blog.

๐€๐›๐จ๐ฎ๐ญ ๐€๐๐˜.๐‘๐”๐

ANY.RUN offers a comprehensive suite of cybersecurity solutions, including their Interactive Sandbox and advanced Threat Intelligence services. Trusted by over 15,000 companies worldwide, ANY.RUN enables dynamic malware analysis across Windows, Linux, and Android systems.

In addition to sandboxing, ANY.RUN provides Threat Intelligence Lookup, Feeds, and YARA Search, helping security teams detect, investigate, and respond to threats with greater speed and accuracy.

Legal Disclaimer:

EIN Presswire provides this news content "as is" without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you have any complaints or copyright issues related to this article, kindly contact the author above.