devman2
Ransomware group profile
204Victims
64Impact score
Description
The Devman ransomware group emerged in 2025 as a financially motivated operation, initially functioning as an affiliate for larger ransomware gangs before evolving independently. Known for its 'Devman 2.0' version, the group engages in double-extortion tactics, exfiltrating sensitive data before encrypting it to pressure victims for ransom. They are highly active, claiming over 120 victims, and employ a sophisticated operational model focusing on stealth and rapid internal network compromise.
Key insights
- •Employs a double-extortion model, exfiltrating sensitive data before encryption.
- •Utilizes a builder flaw that sometimes encrypts its own ransom notes, making them inaccessible.
- •Targets vulnerable perimeter services such as unpatched VPNs and compromised RDP connections for initial access.
- •Known for its highly structured Ransomware-as-a-Service (RaaS) affiliate program requiring a $10,000 deposit.
- •Ransom demands can reach millions, particularly from high-revenue targets.
- •Malware capabilities include operating in multiple encryption modes and disabling security products to evade detection.
Threat Level & Status Breakdown
For devman2 · Based on incidents in selected period
2.6threat level
Aggressiveness5/ 10
Lethality0/ 10
Criticality2.8/ 10
First seenJul 2025
Last seenFeb 2026
Avg ransom—
Payment rate—
Statusactive
Sophistication0
Last updatedJun 2, 2026
Recent activity
Monthly attack count for devman2 in the selected period
204Total attacks
62peak in Dec
25.5avg / month
↓ 48 vs first month
Intelligence
IOCs, YARA/Sigma rules, and related families for devman2
- 1c65d2a20ccf6c6eccdec1cb4a97935c
- 88bd49b1bd9c2bde78bc4e394c993035e0fde3ea
- 16bc5adc4f46cdf7c4852d17ebf9f499
- 9f431d5549a03aee92cfd2bdbbe90f1c91e965c99e90a0c9ad5a001f4e80c350
- f150d19c57a910d714ef773a470bbb8ad88185f4b4713852fce706a1e7482b59
- 56dfe55b016c08f09dd5a2ab58504b377a3cd66ffba236a5a0539f6e2e39aa71
- f588802958c35fe18eb87bc36651a3d1
- df5ab9015833023a03f92a797e20196672c1d6525501a9f9a94a45b0904c7403
- 15ca8d66aa1404edaa176ccd815c57effea7ed2f
- cc14df781475ef0f3f2c441d03a622ea67cd86967526f8758ead6f45174db78e
- 1f6640102f6472523830d69630def669dc3433bbb1c0e6183458bd792d420f8e
- 35da45aeca4701764eb49185b11ef23432f7162a
- 1406e538fc441e89ce3d1747017f97a5
- 8f31f69f88a75d5faab4f94cfc2ec8a649fe1a24
- 3e2272b916da4be3c120d17490423230ab62c174
- 6bc8e3505d9f51368ddf323acb6abc49
- 3a24cd31c8287f7ee7336936a95f82b5d71a3746d210b4240869f3e3f5b34208
- e84270afa3030b48dc9e0c53a35c65aa
- d520d06d78afcad2e03842cb8db4622d18b92739e89dfb8dadf5743f30dcd903
- 0b12eb25db68d8714ba52583597ed20e5fab2f6e82dcd0bcb23161acb4a9a126
- ce1b9909cef820e5281618a7a0099a27a70643dc
- 28df16894a6732919c650cc5a3de94e434a81d80
- e75e5778e71e062ce4a7af673f0b2513854d2367fee0f01a26c0c998863bdf6e
- 2a0ec79f3d0d2f2996a9c5263a112197
- f0410358a0d9dbd0dff3113d9c744ca7
- 29baab2551064fa30fb18955ccc8f332bd68ddd4
- b8c046a7c3a28653662140bb2eaad32d
- eae09889399fe4fb8e78b114dba0527de913d12fb1802944a88ed136e3e90577
TTPs & Attack Vectors
Tools, initial access, and MITRE ATT&CK techniques for devman2
Other
T1486
T1486
T1490
T1490
T1021
T1021
T1562
T1562
T1080
T1080
T1078
T1078
T1547
T1547
T1059
T1059
T1021.001
T1021.001
T1110
T1110
T1047
T1047
T1071.001
T1071.001
Victims(200)
| Company | Domain | Country | Industry | Status | Discovered | |
|---|---|---|---|---|---|---|
| Crystal Coast Pain Management | — | US United States | Healthcare | Unknown | 4 months ago | |
| ENCOMPASS-INC | — | — | Financial Services | Unknown | 4 months ago | |
| woodwardoralsurgery.com | — | US United States | Healthcare | Unknown | 4 months ago | |
| wjnklaw.com | — | US United States | Professional Services | Unknown | 4 months ago | |
| consultaegis.com | — | US United States | Government & Defense | Unknown | 4 months ago | |
| Zallc | zallc.org | US United States | Professional Services | Unknown | 4 months ago | |
| **ps.net | — | PS Palestine | — | Unknown | 4 months ago | |
| ***vandenberg.com | — | US United States | — | Unknown | 4 months ago | |
| z*l*c.o*g | — | — | Financial Services | Unknown | 4 months ago | |
| twi-group.com | — | US United States | Transportation | Unknown | 4 months ago | |
| c*n**lta**i*.com | — | US United States | Government & Defense | Unknown | 4 months ago | |
| cs.at | — | AT Austria | Financial Services | Unknown | 4 months ago | |
| **.at | — | AT Austria | — | Unknown | 4 months ago | |
| ****cr*nem*ds.c*m | — | — | Healthcare | Unknown | 4 months ago | |
| ***-gr*up.com | — | — | — | Unknown | 4 months ago | |
| Automax | automax.com | — | Retail & E-Commerce | Unknown | 4 months ago | |
| Syrmasgs | — | IN India | — | Unknown | 4 months ago | |
| ***m*sic.fi | — | FI Finland | — | Unknown | 4 months ago | |
| www.****law.com | — | — | Professional Services | Unknown | 4 months ago | |
| ***om****s-***.com | — | — | — | Unknown | 4 months ago |
Page 1 of 10
Affected countries(57)
Countries where this group has been reported to target or leak victims.
🇦🇪United Arab Emirates🇦🇷Argentina🇦🇹Austria🇦🇺Australia🇧🇪Belgium🇧🇬BulgariaBolivia, Plurinational State of🇧🇷Brazil🇨🇦Canada🇨🇭Switzerland🇨🇱Chile🇨🇲Cameroon🇨🇳China🇨🇴Colombia🇩🇪Germany🇩🇰Denmark🇪🇨Ecuador🇪🇬Egypt🇪🇸Spain🇫🇮Finland🇫🇷France🇬🇧United Kingdom🇬🇪Georgia🇬🇷Greece🇭🇰Hong Kong🇮🇱Israel🇮🇳India🇮🇹Italy🇯🇲Jamaica🇯🇴Jordan🇯🇵Japan🇰🇪Kenya🇰🇭CambodiaKorea, Republic of🇱🇧Lebanon🇲🇽Mexico🇲🇾Malaysia🇳🇱Netherlands🇳🇴Norway🇵🇪Peru🇵🇭Philippines🇵🇰PakistanPalestine, State of🇵🇹PortugalRussian Federation🇸🇦Saudi Arabia🇸🇬SingaporeSvalbard and Jan Mayen🇸🇰Slovakia🇸🇳Senegal🇹🇭Thailand🇹🇳TunisiaTaiwan, Province of China🇺🇸United StatesVenezuela, Bolivarian Republic of🇻🇳Vietnam🇿🇦South Africa