What to do if you're hit by ransomware?

Do NOT attempt any self-remediation, as it can trigger further encryption and destroy recovery points. Instead, follow these steps:

1
Do NOT fix it yourself
2
Disconnect affected systems
3
Call us +1 332 331 8700

Contact us now for urgent ransomware response assistance, 24/7

Get Help Now
Frame

Experts. Finalists. Winners.

Accomplishments and recognitions, demonstrating our commitment to excellence and innovation.

Momentum Leader in MDR

Best Support in MDR & IR

Managed Detection and Response (MDR)

Top Cybersecurity Company 
2025

Best Managed Detection and Response Service

#4 of 184 teams Splunk Boss of the SOC

Best Of Cybersecurity Awards for Q1 2025

AWS Partner

Splunk Manage Premier Partner

Image (11) (1)

Why you shouldn’t attempt 
to fix it alone

Like a crime scene, a ransomware attack must be preserved — tampering with encrypted files, attempting self-recovery, or engaging with attackers can destroy critical evidence and reduce your chances of recovery.

Taking the right steps in the first moments after a DevMan attack can make a huge difference and help you make a full recovery. Request 24/7 DevMan ransomware recovery services to decrypt your data and maximize your chances of restoring operations.

Contact us now for urgent ransomware recovery assistance

Under attack?

Get Help Now

DevMan ransomware statistics & facts

DevMan Decryptor
DevMan IOCs
DevMan Attack Vectors
Case Outcomes
How to Remove DevMan Ransomware
How to Recover from DevMan Ransomware
Ransom Amounts
DevMan Decryptor

No legitimate public decryptor exists. DevMan uses encryption inherited from Conti lineage (RSA-4096 + AES), which is cryptographically secure. Recovery depends on offline backups or ransom payment. Key recovery via law enforcement seizure of attacker infrastructure is possible but uncommon.

DevMan IOCs

Search for evidence of initial access credentials (RDP, SSH, VPN), Windows Restart Manager abuse (rstrtmgr.exe), ransom notes identical to DragonForce variants, and Rust-specific binary characteristics. Monitor for offline lateral movement without C2 communication (unusual for ransomware).

File Extensions
Not publicly documented; likely derived from Conti lineage; varies by campaign

Ransom Note Filenames
Format identical to DragonForce; likely named RECOVER_FILES.txt or similar variants inherited from Conti ecosystem

DevMan Hashes
SHA256 hashes vary due to per-victim compilation. Rust binaries exhibit characteristic markers (Go/Rust runtime sections) enabling behavioral detection despite compilation variations.

DevMan Tools
Initial Access: Compromised credentials from breach databases or phishing (no novel exploits)
Lateral Movement: Windows administrative shares (C$, ADMIN$), PsExec, SMB enumeration
Privilege Escalation: Windows Restart Manager exploitation, token impersonation
Encryption: Rust-based implementation reusing Conti algorithm
Persistence: Scheduled tasks; offline execution prevents C2-based persistence detection

Most Common Red Flag
RDP or SSH access from unusual geographies combined with rapid SMB share enumeration, lateral movement via administrative shares, and sudden appearance of ransom notes identical to DragonForce variants. Offline attack architecture means monitoring should focus on unusual credential usage and lateral movement patterns rather than external C2 communication.

DevMan Attack Vectors

Attack vector

% of DevMan incidents

Notes

Compromised Credentials (RDP/SSH)

65%

Credentials from breach databases, phishing, credential dumping

Unpatched VPN/Remote Access

20%

Exploitation of known vulnerabilities in remote access appliances

Phishing with Malware

10%

Malware delivering credential dumpers or reverse shells

Supply Chain/IAB Access

5%

Initial Access Broker credentials or compromised third-party access

Powered By WP Table Builder
Case Outcomes

An APAC manufacturing firm lost production data; refused ransom, leading to 3-month recovery from backups. A financial services organization paid $150K; gang honored key delivery, suggesting negotiation is possible. One logistics company suffered re-infection 2 months post-recovery when operators re-used old credentials to regain access; second encryption used different key, preventing recovery with original ransom payment key.

How to Remove DevMan Ransomware

Isolate all systems showing evidence of lateral movement or credential compromise from network immediately. Assume all credentials compromised; implement forced password reset network-wide with MFA enforcement. Remove scheduled tasks and persistence mechanisms. Restore from verified offline backups. Conduct full credential audit—assume all accounts (local, domain, service accounts) compromised.

How to Recover from DevMan Ransomware

Complete recovery from offline backups is required due to persistent backdoor risk via compromised credentials. Rotate all credentials system-wide before bringing any system back online. Implement network segmentation to isolate critical data from general network. Monitor for credential re-use attempts for 6+ months. Engage law enforcement; DevMan infrastructure seizure may enable key recovery without ransom payment.

Ransom Amounts

DevMan demands range from $100,000 to $2,000,000 depending on victim organization size. Asia-Pacific SME targeting results in lower average ransom ($500K) compared to enterprise-focused groups. Negotiation is possible; reported settlement rates are 40-60% of initial demand.

Our customers say it best

Contact us now for urgent ransomware recovery assistance

Under attack?

Get Help Now

Frequently asked questions

What Is DevMan Ransomware?

DevMan is a direct-attack ransomware group that emerged in April 2025, descended from the Conti/Black Basta/DragonForce lineage. Unlike affiliate-based RaaS groups, DevMan conducts intrusions directly using proprietary tools and employs offline attack architecture—all reconnaissance, lateral movement, and encryption occur without external C2 communication. The group targets SMEs in Asia-Pacific and has adopted Rust-based implementation in version 2.0 following operator exposure, combining encryption with the DragonForce family lineage.

Where Is DevMan Based?

Attribution suggests Eastern European or Russian-based operations based on infrastructure patterns, Conti lineage indicators, and operational tempo. The group’s focus on APAC targets suggests familiarity with regional networks and business practices. No definitive attribution to nation-state actors has been published; group appears financially motivated.

How Does DevMan Attack?

DevMan gains initial access through compromised credentials (RDP, SSH, VPN) obtained from breach databases or phishing campaigns. Operators establish persistence and conduct reconnaissance using legitimate Windows administrative tools (administrative shares, PsExec), enumerate the network to identify high-value systems, exfiltrate sensitive data, and deploy the ransomware encryptor. The offline architecture means all activities occur without external C2 communication, minimizing detection opportunities.

How Long Do DevMan Attacks Last?

From initial credential compromise to encryption deployment, DevMan attacks average 3-7 days of dwell time, allowing for reconnaissance and data exfiltration. Some incidents show acceleration to 24-48 hours if the gang detects active monitoring. The offline architecture enables attacks to complete without detection until encryption occurs.

Can DevMan Files Be Decrypted?

No legitimate public decryptor exists. DevMan uses encryption inherited from Conti lineage (RSA-4096 + AES), which is cryptographically secure. Recovery requires offline backups or ransom payment. Law enforcement coordination with international partners may enable key recovery from seized infrastructure, though success rate is historically low.

What Happens After DevMan Encryption?

All encrypted files become inaccessible. DevMan conducts limited data exfiltration compared to RaaS groups; the gang may threaten release of data on dark web forums, but data monetization is secondary to encryption impact. For SMEs dependent on digital infrastructure, operational disruption is severe—business processes halt, customer data becomes inaccessible, and regulatory obligations for breach notification may be triggered.

How Can Organizations Prevent DevMan?

Assume credentials from breach databases are compromised and rotate passwords for all accounts (especially administrative accounts) quarterly. Implement MFA on all remote access (RDP, SSH, VPN) and administrative accounts. Monitor for unusual lateral movement via administrative shares and RDP sessions from unexpected geographies. Maintain offline, immutable backups tested quarterly. Implement network segmentation to restrict lateral movement even if credentials are compromised.

DevMan Prevention Checklist

/H3/ DevMan Prevention Checklist
– Rotate all credentials quarterly, assuming breach database compromise
– Enforce MFA on RDP, SSH, VPN, and all administrative accounts
– Monitor Windows administrative share access for unusual lateral movement
– Disable or restrict RDP on workstations; use jump hosts instead
– Implement EDR with detection rules for Windows Restart Manager exploitation
– Maintain offline backup copies encrypted and verified quarterly
– Implement network segmentation using zero-trust architecture
– Monitor for SMB enumeration and unusual administrative share access
– Conduct quarterly tabletop exercises for credential compromise scenarios
– Engage law enforcement early if credential compromise is detected

Why Does DevMan Operate Offline During the Attack?

Offline attack architecture (no C2 communication) provides multiple operational advantages:
1) Eliminates network indicators that enable law enforcement to track active attacks
2) Allows operators to complete encryption uninterrupted even if network monitoring detects anomalies
3) Reduces infrastructure footprint and law enforcement attribution surface
4) Enables rapid credential re-use for re-infection even if backups are restored

What Makes DevMan Different from Other Direct-Attack Ransomware Groups?

DevMan’s explicit focus on direct attacks (no affiliates) combined with offline architecture and Conti lineage reuse creates operational differentiation. Unlike RaaS groups that scale through affiliate networks, DevMan scales by leveraging existing code and focusing on high-confidence targets in APAC with lower incident response maturity. The Rust re-implementation (version 2.0) suggests continuous evolution post-exposure.