VERY IMPORTANT

A new ransomware strain resembling DragonForce but with unique traits has emerged, possibly connected to an entity called DEVMAN. The sample reuses DragonForce code but adds its own elements, including the .DEVMAN file extension. Attribution is unclear, as the ransom note is identical to DragonForce's. The malware operates offline, probes for SMB connections, and uses three encryption modes. It exhibits different behaviors on Windows 10 and 11, particularly in changing wallpapers. The ransomware encrypts its own ransom notes, likely due to a builder flaw. DEVMAN claims to have stopped using DragonForce months ago, suggesting this may be an experimental or outdated build.