devman

Tácticas y técnicas observadas del actor, mapeadas a MITRE ATT&CK (clic para ver la ficha oficial). Útil para priorizar detecciones.

Para detección/bloqueo en tu EDR/SIEM. Fuente: ransomware.live.

Firma de detección defensiva para este grupo (úsala en tu EDR/SIEM). Fuente: ransomware.live.

/*
devman ransomware
*/

rule devman_Ransomnote
{
    meta:
        author = "ransomware.live"
        family = "ransomware.devman"
        description = "Detects devman ransomware ransom note or artifact"
        date = "2026-05-04"
        severity = 7
        score = 70

    strings:
        $name1 = "devman" ascii nocase
        $name2 = "DEVMAN" ascii
        $onion  = "devman.onion" ascii nocase

    condition:
        any of them
}

██████╗ ███████╗██╗   ██╗███╗   ███╗ █████╗ ███╗   ██╗    ██████╗    ██╗
██╔══██╗██╔════╝██║   ██║████╗ ████║██╔══██╗████╗  ██║    ╚════██╗  ███║
██║  ██║█████╗  ██║   ██║██╔████╔██║███████║██╔██╗ ██║     █████╔╝  ╚██║
██║  ██║██╔══╝  ╚██╗ ██╔╝██║╚██╔╝██║██╔══██║██║╚██╗██║    ██╔═══╝    ██║
██████╔╝███████╗ ╚████╔╝ ██║ ╚═╝ ██║██║  ██║██║ ╚████║    ███████╗██╗██║
╚═════╝ ╚══════╝  ╚═══╝  ╚═╝     ╚═╝╚═╝  ╚═╝╚═╝  ╚═══╝    ╚══════╝╚═╝╚═╝
//////////////////////////////////////////////////////////////////////////////
///ENGLISH VERSION///////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
Dear, management and employees. We are the devman collective, and we are here to deliver some bad news.
All of your files have been encrypted with a unbreakable encryption algorithm.
However, this is not the only bad news for you. Around 100gb of your sensitive data,have been exfiltrated to our secure servers.
What does that mean for you? It means that if you do not cooperate with us, not only will you lose access to your files,
All of that sensitive data will be published online, causing irreparable damage to your reputation and potentially leading to legal consequences.
The only way to decrypt your files, and to prevent the data leak is to cooperate with us, and get the decryption tool and unique key.
What will happen if you do not cooperate with us?
1. Your files will remain encrypted forever.
2. Your sensitive data will be published online, and sent to your clients.
3. There is a high chance that you will face legal consequences for failing to protect your clients data, and violating data protection laws.
How to cooperate with us?
To obtain the decryption tool, you need to:
1. Contact us at: [redactado]
2. Send your unique ID: [snip]
3. Receive a sample decryption of up to 4 files, and the file listing of exfiltrated data
4. We will provide payment instructions
5. After payment, you will receive decryption tool and unique key
WARNING:
- Do not modify encrypted files
- Do not use third party software to restore files
- Do not reinstall system
If you violate these rules, your files may be permanently damaged.
Unique ID: [snip]
Backup contact ([redactado] [redactado]

• https://www.ransomware.live/group/devman