DevMan Ransomware

Threat Overview - DevMan Ransomware DevMan Ransomware is a newly emerging ransomware operation observed in 2025 that has been assessed as a derivative of the DragonForce ransomware family, with researchers also tying its evolution to broader ransomware rebrand patterns seen across ecosystems like Conti and Black Basta. The ransomware has shown an aggressive extortion model that is starting to become more common, impacting organizations with both operational disruption through encryption and added pressure through data theft and leak-site publication. Furthermore, recent analysis highlights DevMan's emergence as part of an increasingly modular ransomware landscape, where operators reuse proven codebases and infrastructure while adjusting naming, branding, and tooling to evade attribution and maintain momentum. This is important to note, because this aligns with the broader trend of ransomware groups shifting identities frequently, while maintaining consistent intrusion behavior and operational playbooks. TITAN References: Verity471 Reference: Info Report: DevMan Attacks Against Healthcare Industry – https://verity.intel471.com/intelligence/infoReportView/report--68eeb2d0-6536-5793-b7fd-7d44e736c465 TITAN Reference: Info Report: DevMan Attacks Against Healthcare Industry – https://titan.intel471.com/report/inforep/bf66ae54a6110f77587b5c04278a2b9d Download The Emerging Threat Report Get your FREE Community Account today on the HUNTER Platform and get access to behavioral threat hunting content for your SIEM, EDR, NDR, and XDR platforms! Get Your HUNTER Community Account DevMan Ransomware Hunt Collection ACCESS HUNT PACKAGE Related Hunt Packages Single-Character Named Files with Execution Extension - Potential Malware Staging This Hunt Package identifies single character file names used at point of execution or in command line arguments with optional logic to look for the file creations. ACCESS HUNT PACKAGE Autorun or ASEP Registry Key Modification A common method that adversaries and malicious software alike achieve persistence is by adding a program to the startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder allows the referenced program to be executed when a user logs in. They are often utilized for legitimate purposes, however when utilized maliciously the key name/value is often obviously suspicious, such as random names, or objects loaded from temp or public folders. ACCESS HUNT PACKAGE Remote Interactive Connections from Unexpected Locations This hunt package identifies remote interactive connections that originate unexpected locations that are exposed to the internet to more isolated internal locations, potentially indicating that external assets have been compromised and are being used as beachheads for lateral movement. By focusing on remote connection protocols such as SSH, WinRM, RDP, and SMB, this package is designed to detect unauthorized access and exploitation efforts where attackers leverage these protocols to move laterally across the network. ACCESS HUNT PACKAGE Potential Impacket wmiexec Module Command Execution Impacket's wmiexec module enables an attacker to remotely upload files to the target system. By default the module utilizes the same structure of command arguments to perform file upload. The logic provided in this package identifies Impacket's known wmiexec command structure, accounting for small alterations in the case an attacker changes the module's command structure. ACCESS HUNT PACKAGE Network SMB Profiling - Potential Nonstandard SMB Communication Behavior This hunt package is designed to identify abnormal Simple Message Block (SMB) communications that are attempting to communicate with hosts external to the organization's network. The SMB protocol is used for sharing files, printers, and other resources between computers, but attackers can also use SMB traffic to spread malware, steal data, and carry out other malicious activities. Abnormal SMB communications refer to traffic that deviates from the normal patterns and behaviors of legitimate SMB traffic, such as unusual SMB commands or unexpected connection attempts. ACCESS HUNT PACKAGE Possible Impacket service created - smbexec.py module This package is meant to identify when a service is created that contains a service name consistent with the default schema used by Impacket's "smbexec.py" module. Impacket is known as an open source collection of Python modules utilized for constructing and manipulating network protocols. These modules have been observed to be abused for malicious purposes, such as for obtaining credentials and executing commands remotely. ACCESS HUNT PACKAGE Unusual Secrets Dump Processes - DonPAPI Activity This hunt package focuses on identifying the execution of DonPAPI, an open-source credential-theft tool used to extract DPAPI-protected secrets, browser credentials, RDP files, Wi-Fi keys, and other sensitive artifacts from Windows systems. ACCESS HUNT PACKAGE