@Inifintyink
Devman
Devman is a ransomware operation/RaaS actor that emerged in late 2024 and became operationally visible at scale in 2025; some reporting specifically states it first emerged in April 2025.
Profile source: Mallory opens in a new tabDevman
Family profile
Devman is a ransomware operation/RaaS actor that emerged in late 2024 and became operationally visible at scale in 2025; some reporting specifically states it first emerged in April 2025. It is described as believed to be based in Russia or Russia-linked. Multiple sources state Devman uses modified DragonForce code and code derived from the leaked Conti source; reporting also places it within the DragonForce ecosystem and identifies associated relationships between DragonForce and DEVMAN. Known aliases in the provided content are devman and devman_ransomware.
The group conducts double-extortion style activity via a leak site, including references to Devman 2.0 and statements that it intended to launch a RaaS offering on June 20, 2025. Public reporting cited in the content associates Devman campaigns with the .DEVMAN encrypted extension and the ransom-note filename e47qfsnz2trbkhnt.devman. The content also states Devman was the first group to publicize discovery of a leak site in April 2025 and that it mentioned Qilin when uploading victim companies.
Victimology in the provided content spans multiple continents, with reporting noting concentration in Asia and Africa and occasional activity in Latin America and Europe. Mentioned victims/targets include Shimao Group in China, GSCCCA in the United States, New Horizons Medical, Níjar in Spain, Kenya’s National Social Security Fund, Thailand’s Ministry of Labour, Elematec Corporation in Japan, and claimed May victims including SMV Thailand, GMA Network, Doves IT, NSSF Kenya, and Daily News Thailand. Reported ransom demands include $91 million against Shimao Group, $4.5 million against Kenya’s NSSF, $400,000 against GSCCCA, $10 million against Elematec, and $15 million against Thailand’s Ministry of Labour.
The content also describes Devman claiming disruptive activity against Thailand’s Ministry of Labour, including website defacement, more than 43 days of access, exfiltration of more than 300 GB, wiping Active Directory, disrupting servers, and encrypting about 2,000 laptops. In OT-related reporting, Devman published screenshots of OT control consoles and dashboards and falsely claimed to have developed ICS-aware ransomware; Dragos stated it found no evidence supporting those ICS-capability claims or indicating Devman could interact with ICS equipment.
Several reports describe links between Devman and other actors. Microsoft Threat Intelligence reportedly identified Octo Tempest/Scattered Spider as a Qilin affiliate and stated the affiliate roster reportedly also included groups like Devman and Arkana. Separate reporting notes strong overlaps between Devman and the later Vect ransomware operation, including builder samples containing "DEVMAN 3.0" strings, DM-prefixed lateral movement tasks, and near-identical ransom notes; Devman’s dormancy in February 2026 coincided with Vect’s debut. The content also states Devman’s operator "Tramp," described as a former Conti and Black Basta affiliate, was added to Interpol’s wanted list in January 2026.
Operationally, the content indicates Devman declined sharply in Q1 2026, falling from 82 victims in Q4 2025 to 25 in Q1 2026, and another source lists Devman among groups that ceased operations or had leak sites taken down in H1 2025/2026 reporting. Overall, the provided content consistently characterizes Devman as a Russia-linked ransomware/RaaS actor tied to DragonForce/Conti code lineage, active primarily in 2025 and early 2026, with broad multi-sector targeting and public leak-site extortion.
Ransomware.live
Operational record
Ransomware.live
Published indicators
Tox
1 total9D97F166730F865F793E2EA07B173C742A6302879DE1B0BBB03817A5A04B572FBD82F984981D
Ip
3 total83.217.209.21038.132.122.21338.132.122.214
MITRE ATT&CK