Threat Actor Profile
High
Cybercriminal
Description
Former RansomHub and INC Ransom affiliate.
Confidence Score
Known Aliases
Devman 2.0
Tags
ransomware
ransomware.live
Devman 2.0
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
MITRE ATT&CK Techniques (18)
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'added_date': '2025-04-06',
'client': '2003264@sit.singaporetech.edu.sg',
'description': 'Former RansomHub and INC Ransom affiliate.',
'firstseen': '2023-06-07T10:27:00+00:00',
'group': 'devman',
'has_negotiations': False,
'has_ransomnote': True,
'lastseen': '2026-02-03T00:00:00+00:00',
'locations': [{'available': False,
'fqdn': 'qljmlmp4psnn3wqskkf3alqquatymo6hntficb4rhq5n76kuogcv7zyd.onion',
'slug': 'http://qljmlmp4psnn3wqskkf3alqquatymo6hntficb4rhq5n76kuogcv7zyd.onion',
'title': "Devman's Place",
'type': 'DLS'},
{'available': False,
'fqdn': 'devmanblggk7ddrtqj3tsocnayow3bwnozab2s4yhv4shpv6ueitjzid.onion',
'slug': 'http://devmanblggk7ddrtqj3tsocnayow3bwnozab2s4yhv4shpv6ueitjzid.onion',
'title': 'Devman Ransomware',
'type': 'DLS'},
{'available': False,
'fqdn': 'wugurgyscp5rxpihef5vl6b6m5ont3b6sezhl7boboso2enib2k3q6qd.onion',
'slug': 'http://wugurgyscp5rxpihef5vl6b6m5ont3b6sezhl7boboso2enib2k3q6qd.onion',
'title': 'DEVMAN 2.0 - Leaked Data',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 1,
'tiaras_metadata': {'has_negotiations': False,
'has_ransomnote': True,
'locations': [{'available': False,
'fqdn': 'qljmlmp4psnn3wqskkf3alqquatymo6hntficb4rhq5n76kuogcv7zyd.onion',
'slug': 'http://qljmlmp4psnn3wqskkf3alqquatymo6hntficb4rhq5n76kuogcv7zyd.onion',
'title': "Devman's Place",
'type': 'DLS'},
{'available': False,
'fqdn': 'devmanblggk7ddrtqj3tsocnayow3bwnozab2s4yhv4shpv6ueitjzid.onion',
'slug': 'http://devmanblggk7ddrtqj3tsocnayow3bwnozab2s4yhv4shpv6ueitjzid.onion',
'title': 'Devman Ransomware',
'type': 'DLS'},
{'available': False,
'fqdn': 'wugurgyscp5rxpihef5vl6b6m5ont3b6sezhl7boboso2enib2k3q6qd.onion',
'slug': 'http://wugurgyscp5rxpihef5vl6b6m5ont3b6sezhl7boboso2enib2k3q6qd.onion',
'title': 'DEVMAN 2.0 - Leaked Data',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 1,
'ransomware_live_group': 'devman',
'tools': {},
'url': 'https://www.ransomware.live/group/devman',
'victims': 184,
'vulnerabilities': []},
'tiaras_source': 'ransomware.live',
'tools': {},
'ttps': [{'tactic_id': 'TA0001',
'tactic_name': 'Initial Access',
'techniques': [{'technique_details': 'Use of the MS17-010 '
'(EternalBlue) exploit.',
'technique_id': 'T1210',
'technique_name': 'Exploitation of Remote Services'},
{'technique_details': 'Use of valid credentials '
'(malharbi) to access systems.',
'technique_id': 'T1078',
'technique_name': 'Valid Accounts'}]},
{'tactic_id': 'TA0002',
'tactic_name': 'Execution',
'techniques': [{'technique_details': 'Execution of PowerShell '
'commands to extract files.',
'technique_id': 'T1059.001',
'technique_name': 'PowerShell'},
{'technique_details': 'Command execution using '
'MS17-010 via Metasploit.',
'technique_id': 'T1203',
'technique_name': 'Exploitation for Client '
'Execution'}]},
{'tactic_id': 'TA0003',
'tactic_name': 'Persistence',
'techniques': [{'technique_details': 'Maintaining access with '
'created administrator '
'account.',
'technique_id': 'T1078',
'technique_name': 'Valid Accounts'}]},
{'tactic_id': 'TA0004',
'tactic_name': 'Privilege Escalation',
'techniques': [{'technique_details': 'Escalation to SYSTEM '
'privileges.',
'technique_id': 'T1068',
'technique_name': 'Exploitation for Privilege '
'Escalation'}]},
{'tactic_id': 'TA0005',
'tactic_name': 'Defense Evasion',
'techniques': [{'technique_details': 'Use of an innocuous name for '
'the ransomware payload '
'(iamdidy.e).',
'technique_id': 'T1036',
'technique_name': 'Masquerading'},
{'technique_details': 'No security tools detected on '
'target systems.',
'technique_id': 'T1562.001',
'technique_name': 'Disable or Modify Tools'}]},
{'tactic_id': 'TA0006',
'tactic_name': 'Credential Access',
'techniques': [{'technique_details': 'Implied by acquisition and '
'use of admin credentials.',
'technique_id': 'T1003',
'technique_name': 'OS Credential Dumping'}]},
{'tactic_id': 'TA0007',
'tactic_name': 'Discovery',
'techniques': [{'technique_details': 'Network mapping using '
'CrackMapExec.',
'technique_id': 'T1018',
'technique_name': 'Remote System Discovery'},
{'technique_details': 'Scanning IP ranges and SMB '
'services.',
'technique_id': 'T1046',
'technique_name': 'Network Service Scanning'},
{'technique_details': 'Using tasklist and whoami to '
'collect system info.',
'technique_id': 'T1082',
'technique_name': 'System Information Discovery'}]},
{'tactic_id': 'TA0008',
'tactic_name': 'Lateral Movement',
'techniques': [{'technique_details': 'Lateral movement through SMB '
'confirmed by CME.',
'technique_id': 'T1021.002',
'technique_name': 'SMB/Windows Admin Shares'}]},
{'tactic_id': 'TA0009',
'tactic_name': 'Collection',
'techniques': [{'technique_details': 'File extraction from local '
'system using PowerShell.',
'technique_id': 'T1005',
'technique_name': 'Data from Local System'}]},
{'tactic_id': 'TA0010',
'tactic_name': 'Exfiltration',
'techniques': [{'technique_details': 'Downloading files like '
'notepad.exe via smbclient.',
'technique_id': 'T1041',
'technique_name': 'Exfiltration Over C2 Channel'}]},
{'tactic_id': 'TA0040',
'tactic_name': 'Impact',
'techniques': [{'technique_details': 'Encryption of files with '
'.devman extension (changed at '
"operator's request).",
'technique_id': 'T1486',
'technique_name': 'Data Encrypted for Impact'},
{'technique_details': 'Disabling backups and system '
'recovery.',
'technique_id': 'T1490',
'technique_name': 'Inhibit System Recovery'},
{'technique_details': 'Halting operations and '
'rendering systems '
'unavailable.',
'technique_id': 'T1489',
'technique_name': 'Service Stop'},
{'technique_details': 'Ransom notes (ransom.txt) '
'deployed across infected '
'systems.',
'technique_id': 'T1491',
'technique_name': 'Defacement'}]}],
'url': 'https://www.ransomware.live/group/devman',
'victims': 184,
'vulnerabilities': []}