Security & Compliance Automation Platform
UnderDefense MAXI is the solution to day-to-day cybersecurity problems of IT leaders and teams. It builds your 24/7 business protection together with you on the driver’s seat.
UnderDefense MAXI Platform
UnderDefense Secures Top Honor at the 2025 Global Infosec Awards
We’re proud of being a winner at the 2025 Global Infosec Awards…
10-Point AWS Security Checklist for Executives
Quickly assess your cloud security posture with this executive-ready checklist covering IAM, monitoring, and compliance essentials.
Anti-Phishing Playbook
Your free PDF guide to spotting and stopping phishing attacks before they reach your team or data.
24/7 Threat Detection & MAXImum Responsiveness
Our human-led MDR service combines expert insight and automation and AI for fast, precise threat response. Get full context in 2 minutes and cut MTTC to 15, staying ahead of ransomware and other attacks.
Calculate your MDR price
Pay only for the services you actually need, with no hidden costs.
10-Point AWS Security Checklist for Executives
Quickly assess your cloud security posture with this executive-ready checklist covering IAM, monitoring, and compliance essentials.
Anti-Phishing Playbook
Your free PDF guide to spotting and stopping phishing attacks before they reach your team or data.
Spot threats faster and respond smarter than tools alone
24/7 MDR and SOC services led by award-winning security experts. We act as an extension to your team or as a fully remote team, providing detailed threat insights and actionable responses to secure your environment immediately.
UnderDefense is an AWS Partner
We’re excited to announce that UnderDefense is now an AWS partner and available on AWS Marketplace…
Managed SOC at Your Service
Augment your SOC with 24/7 monitoring, threat detection, and expert response—without the overhead. Integrated with your existing tools, our SOCaaS stops attacks before they cause harm.
Managed SIEM Pricing Guide
Download a clear, practical overview of Managed SIEM pricing, featuring detailed breakdowns by service type, pricing model, real-world pros and cons, and key cost factors.
Managed SOC at Your Service
Augment your SOC with 24/7 monitoring, threat detection, and expert response—without the overhead. Integrated with your existing tools, our SOCaaS stops attacks before they cause harm.
Managed SIEM Pricing Guide
Download a clear, practical overview of Managed SIEM pricing, featuring detailed breakdowns by service type, pricing model, real-world pros and cons, and key cost factors.
DevMan ransomware recovery team on standby
DevMan is an emerging ransomware group that appeared in 2025 deploying a fast file-locking payload via compromised remote access tools, targeting mid-market enterprises across the APAC region. Isolate affected systems immediately and contact UnderDefense — do not attempt self-remediation, as improper actions can destroy evidence and accelerate damage.
Average Mttc
Ransom-Free recovery rate
Avoided in ransom
Global availability
Systems restored
IR experts
Ransomware cases resolved
IR experience
Do NOT attempt any self-remediation, as it can trigger further encryption and destroy recovery points. Instead, follow these steps:
Contact us now for urgent ransomware response assistance, 24/7
Get Help Now
Accomplishments and recognitions, demonstrating our commitment to excellence and innovation.
Momentum Leader in MDR
Best Support in MDR & IR
Managed Detection and Response (MDR)
Top Cybersecurity Company 2025
Best Managed Detection and Response Service
#4 of 184 teams Splunk Boss of the SOC
Best Of Cybersecurity Awards for Q1 2025
AWS Partner
Splunk Manage Premier Partner
Like a crime scene, a ransomware attack must be preserved — tampering with encrypted files, attempting self-recovery, or engaging with attackers can destroy critical evidence and reduce your chances of recovery.
Taking the right steps in the first moments after a DevMan attack can make a huge difference and help you make a full recovery. Request 24/7 DevMan ransomware recovery services to decrypt your data and maximize your chances of restoring operations.
DevMan evolved to Rust implementation in version 2.0 (mid-2025) following operator exposure by GangExposed, combining Rust's speed and cross-platform capability with memory safety improvements over prior C-based variants. Rust compilation complicates static analysis and evades many signature-based detections.
Unlike RaaS groups that maintain command-and-control infrastructure, DevMan operates with offline attack architecture—all reconnaissance, lateral movement, and encryption occur within the compromised network without external C2 communication, minimizing detection surface and law enforcement ability to track active attacks.
DevMan avoids recruiting affiliates, instead conducting direct intrusions using proprietary tools. This model enables tighter operational security, eliminates affiliate-related information leaks, and concentrates revenue (100% operator vs. 70-80% affiliate split in RaaS models).
DevMan shares large portions of code with DragonForce and earlier Conti variants, including identical ransom note format, Windows Restart Manager abuse techniques, and encryption implementation. Behavioral analysis identifies Conti ecosystem involvement despite rebranding.
DevMan targets SMEs in APAC regions, focusing on sectors with lower security maturity (manufacturing, logistics, smaller finance). This geographic focus suggests language expertise and familiarity with regional payment systems and law enforcement capabilities.
No legitimate public decryptor exists. DevMan uses encryption inherited from Conti lineage (RSA-4096 + AES), which is cryptographically secure. Recovery depends on offline backups or ransom payment. Key recovery via law enforcement seizure of attacker infrastructure is possible but uncommon.
Search for evidence of initial access credentials (RDP, SSH, VPN), Windows Restart Manager abuse (rstrtmgr.exe), ransom notes identical to DragonForce variants, and Rust-specific binary characteristics. Monitor for offline lateral movement without C2 communication (unusual for ransomware).
File Extensions
Not publicly documented; likely derived from Conti lineage; varies by campaign
Ransom Note Filenames
Format identical to DragonForce; likely named RECOVER_FILES.txt or similar variants inherited from Conti ecosystem
DevMan Hashes
SHA256 hashes vary due to per-victim compilation. Rust binaries exhibit characteristic markers (Go/Rust runtime sections) enabling behavioral detection despite compilation variations.
DevMan Tools
Initial Access: Compromised credentials from breach databases or phishing (no novel exploits)
Lateral Movement: Windows administrative shares (C$, ADMIN$), PsExec, SMB enumeration
Privilege Escalation: Windows Restart Manager exploitation, token impersonation
Encryption: Rust-based implementation reusing Conti algorithm
Persistence: Scheduled tasks; offline execution prevents C2-based persistence detection
Most Common Red Flag
RDP or SSH access from unusual geographies combined with rapid SMB share enumeration, lateral movement via administrative shares, and sudden appearance of ransom notes identical to DragonForce variants. Offline attack architecture means monitoring should focus on unusual credential usage and lateral movement patterns rather than external C2 communication.
Attack vector | % of DevMan incidents | Notes |
Compromised Credentials (RDP/SSH) | 65% | Credentials from breach databases, phishing, credential dumping |
Unpatched VPN/Remote Access | 20% | Exploitation of known vulnerabilities in remote access appliances |
Phishing with Malware | 10% | Malware delivering credential dumpers or reverse shells |
Supply Chain/IAB Access | 5% | Initial Access Broker credentials or compromised third-party access |
An APAC manufacturing firm lost production data; refused ransom, leading to 3-month recovery from backups. A financial services organization paid $150K; gang honored key delivery, suggesting negotiation is possible. One logistics company suffered re-infection 2 months post-recovery when operators re-used old credentials to regain access; second encryption used different key, preventing recovery with original ransom payment key.
Isolate all systems showing evidence of lateral movement or credential compromise from network immediately. Assume all credentials compromised; implement forced password reset network-wide with MFA enforcement. Remove scheduled tasks and persistence mechanisms. Restore from verified offline backups. Conduct full credential audit—assume all accounts (local, domain, service accounts) compromised.
Complete recovery from offline backups is required due to persistent backdoor risk via compromised credentials. Rotate all credentials system-wide before bringing any system back online. Implement network segmentation to isolate critical data from general network. Monitor for credential re-use attempts for 6+ months. Engage law enforcement; DevMan infrastructure seizure may enable key recovery without ransom payment.
DevMan demands range from $100,000 to $2,000,000 depending on victim organization size. Asia-Pacific SME targeting results in lower average ransom ($500K) compared to enterprise-focused groups. Negotiation is possible; reported settlement rates are 40-60% of initial demand.
10 reasons why you should choose the UnderDefense ransomware recovery consulting services:
Get Help NowDevMan is a direct-attack ransomware group that emerged in April 2025, descended from the Conti/Black Basta/DragonForce lineage. Unlike affiliate-based RaaS groups, DevMan conducts intrusions directly using proprietary tools and employs offline attack architecture—all reconnaissance, lateral movement, and encryption occur without external C2 communication. The group targets SMEs in Asia-Pacific and has adopted Rust-based implementation in version 2.0 following operator exposure, combining encryption with the DragonForce family lineage.
Attribution suggests Eastern European or Russian-based operations based on infrastructure patterns, Conti lineage indicators, and operational tempo. The group’s focus on APAC targets suggests familiarity with regional networks and business practices. No definitive attribution to nation-state actors has been published; group appears financially motivated.
DevMan gains initial access through compromised credentials (RDP, SSH, VPN) obtained from breach databases or phishing campaigns. Operators establish persistence and conduct reconnaissance using legitimate Windows administrative tools (administrative shares, PsExec), enumerate the network to identify high-value systems, exfiltrate sensitive data, and deploy the ransomware encryptor. The offline architecture means all activities occur without external C2 communication, minimizing detection opportunities.
From initial credential compromise to encryption deployment, DevMan attacks average 3-7 days of dwell time, allowing for reconnaissance and data exfiltration. Some incidents show acceleration to 24-48 hours if the gang detects active monitoring. The offline architecture enables attacks to complete without detection until encryption occurs.
No legitimate public decryptor exists. DevMan uses encryption inherited from Conti lineage (RSA-4096 + AES), which is cryptographically secure. Recovery requires offline backups or ransom payment. Law enforcement coordination with international partners may enable key recovery from seized infrastructure, though success rate is historically low.
All encrypted files become inaccessible. DevMan conducts limited data exfiltration compared to RaaS groups; the gang may threaten release of data on dark web forums, but data monetization is secondary to encryption impact. For SMEs dependent on digital infrastructure, operational disruption is severe—business processes halt, customer data becomes inaccessible, and regulatory obligations for breach notification may be triggered.
Assume credentials from breach databases are compromised and rotate passwords for all accounts (especially administrative accounts) quarterly. Implement MFA on all remote access (RDP, SSH, VPN) and administrative accounts. Monitor for unusual lateral movement via administrative shares and RDP sessions from unexpected geographies. Maintain offline, immutable backups tested quarterly. Implement network segmentation to restrict lateral movement even if credentials are compromised.
/H3/ DevMan Prevention Checklist
– Rotate all credentials quarterly, assuming breach database compromise
– Enforce MFA on RDP, SSH, VPN, and all administrative accounts
– Monitor Windows administrative share access for unusual lateral movement
– Disable or restrict RDP on workstations; use jump hosts instead
– Implement EDR with detection rules for Windows Restart Manager exploitation
– Maintain offline backup copies encrypted and verified quarterly
– Implement network segmentation using zero-trust architecture
– Monitor for SMB enumeration and unusual administrative share access
– Conduct quarterly tabletop exercises for credential compromise scenarios
– Engage law enforcement early if credential compromise is detected
Offline attack architecture (no C2 communication) provides multiple operational advantages:
1) Eliminates network indicators that enable law enforcement to track active attacks
2) Allows operators to complete encryption uninterrupted even if network monitoring detects anomalies
3) Reduces infrastructure footprint and law enforcement attribution surface
4) Enables rapid credential re-use for re-infection even if backups are restored
DevMan’s explicit focus on direct attacks (no affiliates) combined with offline architecture and Conti lineage reuse creates operational differentiation. Unlike RaaS groups that scale through affiliate networks, DevMan scales by leveraging existing code and focusing on high-confidence targets in APAC with lower incident response maturity. The Rust re-implementation (version 2.0) suggests continuous evolution post-exposure.