From Conti to Black Basta to DevMan: The Endless Ransomware Rebrand by Lucie Cardiet

This report analyzes DevMan, a 2025 ransomware operator that reuses DragonForce/Conti-derived code and has evolved into a Ransomware-as-a-Service (DevMan 2.0) offering builders, affiliate dashboards, and automated exfiltration; it details DevMan’s technical traits (.DEVMAN extension, offline SMB-focused encryption, multiple modes), its affiliate-driven business model, and emphasizes that attribution is difficult while defenders should focus on behavioral detection rather than signatures.