devman2

Ransomware group profile

204Victims

75Impact score

Description

The Devman ransomware group emerged in 2025 as a financially motivated operation, initially functioning as an affiliate for larger ransomware gangs before evolving independently. Known for its 'Devman 2.0' version, the group engages in double-extortion tactics, exfiltrating sensitive data before encrypting it to pressure victims for ransom. They are highly active, claiming over 120 victims, and employ a sophisticated operational model focusing on stealth and rapid internal network compromise.

Key insights

•Employs a double-extortion model, exfiltrating sensitive data before encryption.
•Utilizes a builder flaw that sometimes encrypts its own ransom notes, making them inaccessible.
•Targets vulnerable perimeter services such as unpatched VPNs and compromised RDP connections for initial access.
•Known for its highly structured Ransomware-as-a-Service (RaaS) affiliate program requiring a $10,000 deposit.
•Ransom demands can reach millions, particularly from high-revenue targets.
•Malware capabilities include operating in multiple encryption modes and disabling security products to evade detection.

Industries

Education Energy & Utilities Financial Services Government & Defense Healthcare Hospitality Manufacturing Other Professional Services Retail & E-Commerce Technology Transportation

Threat Level & Status Breakdown

For devman2 · Based on incidents in selected period

2.6threat level

Aggressiveness5/ 10

Lethality0/ 10

Criticality2.8/ 10

First seenJul 2025

Last seenFeb 2026

Avg ransom—

Payment rate—

Statusactive

Sophistication0

Last updatedJun 20, 2026

Recent activity

Monthly attack count for devman2 in the selected period

204Total attacks

62peak in Dec

25.5avg / month

↓ 48 vs first month

Intelligence

IOCs, YARA/Sigma rules, and related families for devman2

1c65d2a20ccf6c6eccdec1cb4a97935c
88bd49b1bd9c2bde78bc4e394c993035e0fde3ea
16bc5adc4f46cdf7c4852d17ebf9f499
9f431d5549a03aee92cfd2bdbbe90f1c91e965c99e90a0c9ad5a001f4e80c350
f150d19c57a910d714ef773a470bbb8ad88185f4b4713852fce706a1e7482b59
56dfe55b016c08f09dd5a2ab58504b377a3cd66ffba236a5a0539f6e2e39aa71
770c1dc157226638f8ad1ac9669f4883
f588802958c35fe18eb87bc36651a3d1
1f5ae3b51b2dbf9419f4b7d51725a49023abc81c
df5ab9015833023a03f92a797e20196672c1d6525501a9f9a94a45b0904c7403
15ca8d66aa1404edaa176ccd815c57effea7ed2f
cc14df781475ef0f3f2c441d03a622ea67cd86967526f8758ead6f45174db78e
1f6640102f6472523830d69630def669dc3433bbb1c0e6183458bd792d420f8e
1406e538fc441e89ce3d1747017f97a5
8f31f69f88a75d5faab4f94cfc2ec8a649fe1a24
3e2272b916da4be3c120d17490423230ab62c174
6bc8e3505d9f51368ddf323acb6abc49
3a24cd31c8287f7ee7336936a95f82b5d71a3746d210b4240869f3e3f5b34208
e84270afa3030b48dc9e0c53a35c65aa
0b12eb25db68d8714ba52583597ed20e5fab2f6e82dcd0bcb23161acb4a9a126
ce1b9909cef820e5281618a7a0099a27a70643dc
28df16894a6732919c650cc5a3de94e434a81d80
2a0ec79f3d0d2f2996a9c5263a112197
f0410358a0d9dbd0dff3113d9c744ca7
d67a475f72ca65fd1ac5fd3be2f1cce2db78ba074f54dc4c4738d374d0eb19c7
29baab2551064fa30fb18955ccc8f332bd68ddd4
b8c046a7c3a28653662140bb2eaad32d
c7b91de4b4b10c22f2e3bca1e2603160588fd8fd829fd46103cf536b6082e310
94f73b5dc06ba6705fcef3e759413a747049c2949a0c2e44afc03b2f9989cf73
0dfe23ab86cb5c1bfaf019521f3163aa5315a9ca3bb67d7d34eb51472c412b22
c5f49c0f566a114b529138f8bd222865c9fa9fa95f96ec1ded50700764a1d4e7
4db090498a57b85411417160747ffd8d4875f98b3ca2b83736a68900b7304d2b
3a6e2c775c9c1060c54a9a94e80d923a
c844d02c91d5e6dc293de80085ad2f69b5c44bc46ec9fdaa4e3efbda062c871c
80e3a04fa68be799b3c91737e1918f8394b250603a231a251524244e4d7f77d9
b72e4d7591f207439134b68fb9064903c0ea844f
82ed942a52cdcf120a8919730e00ba37619661a3
c3804d1329b55a37bfa2f835e1e9bbc7bdb2b260f8e3627c06e02c9f52685d44
cf7cad39407d8cd93135be42b6bd258f
b4315d71fb374e4d6b12b7b3c412b027f2d5c231
6a784b693da28eb0eb3e8c6e233c0bbd

View full IOC feed500 total

TTPs & Attack Vectors

Tools, initial access, and MITRE ATT&CK techniques for devman2

Other

T1486

T1490

T1021

T1562

T1080

T1078

T1547

T1059

T1021.001

T1110

T1047

T1071.001

Victims(200)

Company	Domain	Country	Industry	Status	Discovered
Crystal Coast Pain Management	—	US United States	Healthcare	Unknown	5 months ago
ENCOMPASS-INC	—	—	Financial Services	Unknown	5 months ago
woodwardoralsurgery.com	—	US United States	Healthcare	Unknown	5 months ago
wjnklaw.com	—	US United States	Professional Services	Unknown	5 months ago
consultaegis.com	—	US United States	Government & Defense	Unknown	5 months ago
Zallc	zallc.org	US United States	Professional Services	Unknown	5 months ago
**ps.net	—	PS Palestine	—	Unknown	5 months ago
***vandenberg.com	—	US United States	—	Unknown	5 months ago
zlc.o*g	—	—	Financial Services	Unknown	5 months ago
twi-group.com	—	US United States	Transportation	Unknown	5 months ago
cnltai.com	—	US United States	Government & Defense	Unknown	5 months ago
cs.at	—	AT Austria	Financial Services	Unknown	5 months ago
**.at	—	AT Austria	—	Unknown	5 months ago
***crnemds.cm	—	—	Healthcare	Unknown	5 months ago
**-grup.com	—	—	—	Unknown	5 months ago
Automax	automax.com	—	Retail & E-Commerce	Unknown	5 months ago
Syrmasgs	—	IN India	—	Unknown	5 months ago
**msic.fi	—	FI Finland	—	Unknown	5 months ago
www.****law.com	—	—	Professional Services	Unknown	5 months ago
*oms-*.com	—	—	—	Unknown	5 months ago

Page 1 of 10

Affected countries(60)

Countries where this group has been reported to target or leak victims.

🇦🇪United Arab Emirates 🇦🇷Argentina 🇦🇹Austria 🇦🇺Australia 🇧🇪Belgium 🇧🇬Bulgaria Bolivia, Plurinational State of 🇧🇷Brazil 🇨🇦Canada 🇨🇭Switzerland 🇨🇱Chile 🇨🇲Cameroon 🇨🇳China 🇨🇴Colombia 🇩🇪Germany 🇩🇰Denmark 🇪🇨Ecuador 🇪🇬Egypt 🇪🇸Spain 🇫🇮Finland 🇫🇷France 🇬🇧United Kingdom 🇬🇪Georgia 🇬🇷Greece 🇭🇰Hong Kong 🇮🇩Indonesia 🇮🇱Israel 🇮🇳India 🇮🇹Italy 🇯🇲Jamaica 🇯🇴Jordan 🇯🇵Japan 🇰🇪Kenya 🇰🇭Cambodia Korea, Republic of 🇱🇧Lebanon 🇲🇽Mexico 🇲🇾Malaysia 🇳🇱Netherlands 🇳🇴Norway 🇵🇪Peru 🇵🇭Philippines 🇵🇰Pakistan 🇵🇱Poland Palestine, State of 🇵🇹Portugal Russian Federation 🇸🇦Saudi Arabia 🇸🇬Singapore Svalbard and Jan Mayen 🇸🇰Slovakia 🇸🇳Senegal 🇹🇭Thailand 🇹🇳Tunisia 🇹🇷Turkey Taiwan, Province of China 🇺🇸United States Venezuela, Bolivarian Republic of 🇻🇳Vietnam 🇿🇦South Africa