惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

The Hacker News
The Hacker News
C
Cisco Blogs
P
Privacy & Cybersecurity Law Blog
Cloudbric
Cloudbric
S
Security Affairs
PCI Perspectives
PCI Perspectives
The Last Watchdog
The Last Watchdog
AWS News Blog
AWS News Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
N
News and Events Feed by Topic
W
WeLiveSecurity
T
Tenable Blog
L
LINUX DO - 最新话题
T
Tor Project blog
Help Net Security
Help Net Security
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
P
Proofpoint News Feed
爱范儿
爱范儿
O
OpenAI News
Hacker News - Newest:
Hacker News - Newest: "LLM"
Y
Y Combinator Blog
I
Intezer
C
Check Point Blog
Stack Overflow Blog
Stack Overflow Blog
Recent Announcements
Recent Announcements
Google DeepMind News
Google DeepMind News
S
Securelist
P
Privacy International News Feed
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
V
Vulnerabilities – Threatpost
Schneier on Security
Schneier on Security
量子位
SecWiki News
SecWiki News
L
Lohrmann on Cybersecurity
T
Threat Research - Cisco Blogs
Recent Commits to openclaw:main
Recent Commits to openclaw:main
M
MIT News - Artificial intelligence
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Scott Helme
Scott Helme
H
Help Net Security
Vercel News
Vercel News
云风的 BLOG
云风的 BLOG
Spread Privacy
Spread Privacy
Know Your Adversary
Know Your Adversary
I
InfoQ
TaoSecurity Blog
TaoSecurity Blog
Blog — PlanetScale
Blog — PlanetScale
N
News | PayPal Newsroom
小众软件
小众软件
C
CERT Recently Published Vulnerability Notes

Vectra AI Blog

Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Why You Need an NDR to Protect Your Modern Network Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI named in Gartner hype cycle for security operations 2025 Vectra AI Vectra AI Vectra AI How Sanofi Detected and Stopped a Cyberattack How MITRE ATLAS Helps Detect LLM Attacks in Cloud AI Detecting Iranian APT identity attacks across hybrid environments Vectra AI Vectra AI Vectra AI Breaking down the axios supply chain incident Vectra AI Vectra AI Who’s Doing What on Your Network? FortiClient EMS Zero-Day: When the Control Plane Becomes Initial Access Detecting Compromise After the Axios Supply Chain Attack. Vectra AI Vectra AI Vectra AI AI Is Now the Attack Surface: Why Your Security Stack Must Adapt Fast Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI How attackers use Brute Ratel (BRC4) Vectra AI Vectra AI Vectra AI The Cutting Edge: AI’s Inevitable Rise in Offensive Security Vectra AI Vectra AI Is AI the Right Tool to Defend Against Modern Cyberattacks? Vectra AI Vectra AI Vectra AI Turns Out Network Security Is Cool Again – and It’s Called NDR Vectra AI Vectra AI Vectra AI Choosing the Right NDR: Gartner’s 5 Questions Every Security Buyer Should Be Asking Vectra AI Vectra AI Named a Leader and Outperformer in the 2025 GigaOm Radar Report for Identity Threat Detection and Response (ITDR) Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI You Have the Right Tools. So Why Are Attackers Still Getting In? Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Challenges in Microsoft Log Monitoring: Insights for Your SOC Vectra AI Platform Visualizes Multi-domain Modern Attacks with Attack Graphs Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Vectra AI Gartner Security and Risk Conference – Chaos meets Opportunity Vectra AI Named a Leader and Outperformer in the 2025 GigaOm Radar Report for Network Detection and Response (NDR) Presenting the 2025 Vectra AI Scholars Simplify Threat Investigation and Hunting with Pre-built Queries in Vectra Investigate The 2025 Gartner® Magic Quadrant™ for Network Detection and Response (NDR) - Why Vectra AI Stands Tall Vectra AI Vectra AI Vectra AI Vectra AI How Black Basta Turned Public Data into a Breach Playbook Play’s New Tactics Bypass Traditional Defenses. Are You Ready? Charting a New Era of Network Security: Vectra AI at the Forefront Unlocking Operational Efficiency: How Vectra AI Drives 40% Gains in SOC Performance and 391% ROI Identity-Centric Attacks: The New Reality for UK Retail CISA Flags Fast Flux as a National Threat: Are You Covered? AI Agents: What Do They Mean in Cybersecurity?
Vectra AI
Zoey Chu · 2025-10-17 · via Vectra AI Blog

Ransomware operations don’t disappear. They evolve.

The ransomware names may change, but the operators, infrastructure, and behaviors often persist under new branding. The latest example is DevMan, a group operating on modified DragonForce code and positioned as the newest entrant in a long lineage of ransomware families built on top of Conti and Black Basta foundations.

While multiple security vendors and analysts have noted technical and operational similarities across these groups, attribution in ransomware remains complex. The rise of DevMan is better understood as a continuation of code reuse, affiliate migration, and shared tooling rather than a definitive link to any specific operator.

The Conti Legacy: The Code That Never Died

Conti’s leaked source code remains one of the most reused ransomware frameworks in existence. It directly fueled the development of Black Basta, and later the DragonForce ransomware family. The leaked Black Basta chat logs further confirmed that its leader, Tramp, had long-standing ties with LockBitSupp, the administrator of the LockBit RaaS empire.

Conversation between BlackBasta and LockBit found in the BlackBasta leaked chatlogs

By September 2025, DragonForce announced a coalition with Qilin and LockBit, creating a cross-affiliate ransomware network. The same names reappear across leak sites, affiliate programs, and shared infrastructure, reinforcing that ransomware today operates as an ecosystem, not isolated crews.

Screenshot of the DragonForce + Qilin + LockBit coalition announcement. Source: ReliaQuest

The DragonForce Model and the Birth of DevMan

DragonForce introduced a “Dragons-as-a-Service” model, offering affiliates prebuilt ransomware, Tor infrastructure, and leak site publishing rights under its brand. This RaaS program allowed emerging operators to launch attacks quickly, using proven tools.

DevMan first surfaced in mid-April 2025, initially acting as an affiliate for Qilin (Agenda) and DragonForce, while also linked to APOS operations (APOS has also been linked to PEAR since…). Early attacks mirrored DragonForce playbooks: VPN exploitation for entry, SMB probing for lateral movement, and double extortion tactics.

By July 2025, everything changed. DevMan split from DragonForce, launching his own infrastructure including the first leak site called “DevMan’s Place.” Forensic analysis published by ANY.RUN on July 1 confirmed that his payload reused DragonForce code, itself based on Conti, and included several technical flaws:

  • The ransom note self-encrypts, a builder misconfiguration.
  • The wallpaper feature fails on Windows 11 but works on Windows 10.
  • Three encryption modes are included: full, header-only, and custom.
  • The malware operates entirely offline, with only SMB-based network activity.

The .DEVMAN file extension and new internal strings distinguish the variant, but its DNA remains unmistakably DragonForce.

Layer Common Tools Typical Blind Spots Attacker Advantage
Conti (2022) Original codebase Private crew Manual negotiation, internal hierarchy
Black Basta (2023–2024) Fork of Conti Semi-private Focus on large enterprises, steady leaks
DragonForce (2024–present) Based on Conti code Public RaaS Builder tools, coalition model, Qilin + LockBit ties
DevMan (2025–present) Modified DragonForce code Hybrid RaaS Custom extension (.DEVMAN), offline encryption, independent branding

Attribution in Ransomware Ecosystems is Complex

Attribution in ransomware ecosystems is inherently complicated. As Jon DiMaggio notes in The Art of Attribution (Analyst1, 2024), accurately linking one operation to another requires alignment across technical, behavioral, and human evidence rather than relying on code similarities or timelines alone.

DevMan, like many emerging operators, sits at the intersection of reused codebases, repurposed infrastructure, and shared affiliate networks. The overlap with DragonForce and indirect ties to Conti and Black Basta reflect the broader realities of the ransomware ecosystem. Groups borrow, buy, copy, or modify code. Affiliates frequently migrate across operations. Tooling is resold, leaked, or bundled into new RaaS services.

This creates continuity at a technical level without necessarily implying continuity of leadership. For this reason, DevMan is best understood as a product of ecosystem reuse rather than a confirmed extension of any prior operator.

DevMan 2.0: From Operator to RaaS Provider

By late 2025, DevMan had evolved from operator to provider. On September 30, 2025, he launched DevMan 2.0, a redesigned Ransomware-as-a-Service platform with affiliate recruitment, a builder dashboard, and new variants written in Rust.

Screenshots from the platform reveal:

  • A web-based affiliate dashboard for building encryptors targeting Windows, Linux, and ESXi.
  • A structured profit-sharing model, offering 22% revenue share for affiliates generating under $20 million.
  • Automated data exfiltration utilities and ransom note customization.
  • Rules of conduct prohibiting attacks against CIS states and healthcare entities related to children.

In practice, DevMan 2.0 functions much like DragonForce, but with branding, infrastructure, and affiliate control entirely under one operator.

Screenshot of the DevMan RaaS website

Screenshot of DevMan's RaaS website. Source: Analyst1.com

Why It Matters for Defenders

DevMan illustrates how ransomware operations can rebrand, restructure, and redistribute code without altering the underlying behaviors used during intrusions. SOC teams face adversaries who change names frequently, but their techniques remain consistent.

Across Conti, Black Basta, DragonForce, and DevMan, several behaviors continue to surface:

  • Offline encryption and lateral movement via SMB and RDP.
  • Use of legitimate tools for persistence.
  • Rapid affiliate onboarding using shared builder frameworks.

Signature-based defenses fail against this model. What remains constant is attacker behavior, visible in network traffic, identity misuse, and privilege escalation attempts. These are exactly the patterns the Vectra AI Platform detects in real time.

How Vectra AI Detects What Rebrands Can’t Hide

Whether or not attribution can be confirmed, the behaviors are what matter for defenders. The Vectra AI Platform focuses on detecting attacker tactics and behaviors, not brand names.

By analyzing identity, network, and cloud behaviors, the Vectra AI Platform detects the signs of ransomware execution and lateral movement before encryption begins, whether it’s DevMan, Play, Qilin, Scattered Spider or any other APT group.

Attackers can change their names, but not their behaviors.

With Vectra AI, you can see what they can’t hide.

Watch a self-guided demo of the Vectra AI Platform to see how behavioral AI detects ransomware activity, even across rebrands.