A new ransomware sample labeled as DragonForce or Conti exhibits unique traits linked to a threat actor named DEVMAN, indicating a hybrid built on DragonForce code but customized with distinct features. This sample demonstrates unusual behavior such as encrypting its own ransom notes and operates primarily offline with multiple encryption modes, highlighting shifting dynamics in ransomware ecosystem and actor activities. #DragonForce #DEVMAN #Conti
Keypoints
- A ransomware sample resembling DragonForce includes unique DEVMAN indicators, such as the .DEVMAN file extension and custom strings, reflecting reuse of DragonForce code with modifications.
- The ransom note copies DragonForce’s style but self-encrypts due to a builder flaw, impeding ransom payment instructions delivery.
- Most malicious actions occur offline, with SMB probing for lateral spread attempts, but no external command and control communication was observed.
- The sample supports three encryption modes: full file encryption, header-only encryption for faster corruption, and a custom mode tailored to different scenarios.
- Behavior varies by operating system: wallpaper change works on Windows 10 but fails on Windows 11.
- The ransomware utilizes Windows Restart Manager and mutexes to evade file locks, coordinate execution, and ensure encryption of locked user session files.
- DEVMAN has its own leak site, Devman’s Place, claiming nearly 40 victims mainly in Asia and Africa, and demonstrates polite, detailed communication despite operational flaws.
MITRE Techniques
- [T1204.002] User Execution: Malicious File – The executable requires user or threat actor interaction to launch. (“The executable requires user (or threat actor) interaction to launch.”)
- [T1053.005] Scheduled Task/Job: Scheduled Task – Presence of scheduling-related strings implies potential persistence via scheduled tasks. (“Presence of scheduling-related strings implies possible persistence via tasking.”)
- [T1027] Obfuscated Files or Information – Internal file renaming and ransom note scrambling indicate static obfuscation methods. (“Internal file renaming and readme scrambling suggest static obfuscation logic.”)
- [T1070] Indicator Removal on Host – Deletes registry keys and values shortly after writing to avoid forensic traces. (“The sample deletes registry keys and values shortly after writing them.”)
- [T1135] Network Share Discovery – Searches for SMB shares on local networks (e.g., ADMIN$ share, IP ranges 192.x, 172.x). (“Explicit scanning for SMB shares (ADMIN$, IP ranges like 192.x, 172.x).”)
- [T1021.002] SMB/Windows Admin Shares – Uses Windows APIs such as netapi32, srvcli, and netutils to interact with administrative shares. (“Uses netapi32, srvcli, and netutils to interact with administrative shares.”)
- [T1005] Data from Local System – Enumerates and encrypts user data including NTUSER.DAT and related log files. (“Encrypts user data including NTUSER.DAT and log files.”)
- [T1486] Data Encrypted for Impact – Core functionality includes encrypting files with the custom .DEVMAN extension. (“Core functionality: encrypting files with .DEVMAN extension.”)
- [T1490] Inhibit System Recovery – Attempts to interact with volume shadow copies to prevent system recovery. (“Attempts to interact with volume shadow copies.”)
Indicators of Compromise
- [MD5 Hash] Sample file identifier – e84270afa3030b48dc9e0c53a35c65aa
- [SHA256 Hash] Sample hashes analyzed on VirusTotal – df5ab9015833023a03f92a797e20196672c1d6525501a9f9a94a45b0904c7403, 018494565257ef2b6a4e68f1c3e7573b87fc53bd5828c9c5127f31d37ea964f8
- [File Name] Mutex executable and encrypted ransom notes – hsfjuukjzloqu28oajh727190, e47qfsnz2trbkhnt.devman
- [Domain] DEVMAN’s Dedicated Leak Site – Devman’s Place (context: infrastructure hosting victim data leaks)
Read more: https://any.run/cybersecurity-blog/cybersecurity-blog/devman-ransomware-analysis/