DEVMAN Propose Change

Actor(s): [Unnamed group]

DEVMAN is a ransomware which shares a large part of its codebase with DragonForce ransomware. It is highly probable that the group used a DragonForce ransomware build and simply changed the extension added to the encrypted files (from .dragonforce_encrypted to .devman). In one of the first observed samples, the ransom note still claimed to be part of the DragonForce Ransomware Cartel.

The ransomware implements common features such as the deletion of ShadowCopies, and avoid encrypting files with some extensions present in a hard-coded list. The ransomware implements multiple encryption modes:

- Full encryption
- Header-only encryption
- Custom encryption

These modes allow the operator to choose between a quick or a strong encryption depending on the scenario. The ransomware also tries to connect to SMB folders.

DEVMAN ransomware creates a temporary session under the following registry key: `HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000`. The use of the Restart Manager to bypass file locks and ensure encrypted access to active user session files. This capability seems to be a legacy of Conti ransomware, which inspired DragonForce and DEVMAN. As part of this legacy, the ransomware use a hard-coded mutex to prevent multiple instances from running in parallel.

References

There is no Yara-Signature yet.