Ransomware operations don’t disappear. They evolve.
The ransomware names may change, but the operators, infrastructure, and behaviors often persist under new branding. The latest example is DevMan, a group operating on modified DragonForce code that now carries the weight of serious allegations tying it back to one of ransomware’s most infamous leaders.
In mid-2025, an account named GangExposed, alleged that DevMan is “Tramp”: the former leader of Black Basta and one of the core members of Conti. If true, this means the same individual has now led three generations of ransomware operations under different guises.
The Conti Legacy: The Code That Never Died
Conti’s leaked source code remains one of the most reused ransomware frameworks in existence. It directly fueled the development of Black Basta, and later the DragonForce ransomware family. The leaked Black Basta chat logs further confirmed that its leader, Tramp (allegedly Oleg Nefedov), had long-standing ties with LockBitSupp, the administrator of the LockBit RaaS empire.
By September 2025, DragonForce announced a coalition with Qilin and LockBit, creating a cross-affiliate ransomware network. The same names reappear across leak sites, affiliate programs, and shared infrastructure, reinforcing that ransomware today operates as an ecosystem, not isolated crews.
The DragonForce Model and the Birth of DevMan
DragonForce introduced a “Dragons-as-a-Service” model, offering affiliates prebuilt ransomware, Tor infrastructure, and leak site publishing rights under its brand. This RaaS program allowed emerging operators to launch attacks quickly, using proven tools.
DevMan first surfaced in mid-April 2025, initially acting as an affiliate for Qilin (Agenda) and DragonForce, while also linked to APOS operations (APOS has also been linked to PEAR since…). Early attacks mirrored DragonForce playbooks: VPN exploitation for entry, SMB probing for lateral movement, and double extortion tactics.
By July 2025, everything changed. DevMan split from DragonForce, launching his own infrastructure including the first leak site called “DevMan’s Place.” Forensic analysis published by ANY.RUN on July 1 confirmed that his payload reused DragonForce code, itself based on Conti, and included several technical flaws:
- The ransom note self-encrypts, a builder misconfiguration.
- The wallpaper feature fails on Windows 11 but works on Windows 10.
- Three encryption modes are included: full, header-only, and custom.
- The malware operates entirely offline, with only SMB-based network activity.
The .DEVMAN file extension and new internal strings distinguish the variant, but its DNA remains unmistakably DragonForce.
GangExposed Allegations: DevMan = Tramp
In June 2025, GangExposed released a detailed analysis claiming that DevMan is the same individual as Tramp, the former Black Basta and Conti leader. Their report used:
- Stylometric analysis comparing language patterns across ransom notes and forum posts.
- Infrastructure overlaps, linking Tor domains and cryptocurrency wallets between DevMan and prior operations.
- Alias correlations, including Russian-language handles reused across both identities.
If accurate, the allegations mean DevMan represents not just a rebrand, but a continuation of leadership stretching across three major ransomware operations: Conti → Black Basta → DevMan.
Attribution in Ransomware Ecosystems is Complex
As Jon DiMaggio notes in The Art of Attribution (Analyst1, 2024), high-confidence attribution requires multiple lines of evidence including technical, behavioral, and human—not just code similarity or timing overlaps. In this case, while the GangExposed findings align with existing intelligence on Tramp’s network, the claim remains an analytical hypothesis, not conclusive proof.
DevMan 2.0: From Operator to RaaS Provider
After the exposure, DevMan doubled down. On September 30, 2025, he launched DevMan 2.0, a redesigned Ransomware-as-a-Service platform with affiliate recruitment, a builder dashboard, and new variants written in Rust.
Screenshots from the platform reveal:
- A web-based affiliate dashboard for building encryptors targeting Windows, Linux, and ESXi.
- A structured profit-sharing model, offering 22% revenue share for affiliates generating under $20 million.
- Automated data exfiltration utilities and ransom note customization.
- Rules of conduct prohibiting attacks against CIS states and healthcare entities related to children.
In practice, DevMan 2.0 functions much like DragonForce, but with branding, infrastructure, and affiliate control entirely under one operator.
Why It Matters for Defenders
Whether or not GangExposed’s allegations prove true, DevMan exemplifies how ransomware operations rebrand without changing behavior. SOC teams face adversaries that evolve faster than traditional defenses can adapt. Across Conti, Black Basta, DragonForce, and DevMan, the tactics remain consistent:
- Offline encryption and lateral movement via SMB and RDP.
- Use of legitimate tools for persistence.
- Rapid affiliate onboarding using shared builder frameworks.
Signature-based defenses fail against this model. What remains constant is attacker behavior, visible in network traffic, identity misuse, and privilege escalation attempts. These are exactly the patterns the Vectra AI Platform detects in real time.
How Vectra AI Detects What Rebrands Can’t Hide
Whether or not attribution can be confirmed, the behaviors are what matter for defenders. The Vectra AI Platform focuses on detecting attacker tactics and behaviors, not brand names.
By analyzing identity, network, and cloud behaviors, the Vectra AI Platform detects the signs of ransomware execution and lateral movement before encryption begins, whether it’s DevMan, Play, Qilin, Scattered Spider or any other APT group.
Attackers can change their names, but not their behaviors.
With Vectra AI, you can see what they can’t hide.
Watch a self-guided demo of the Vectra AI Platform to see how behavioral AI detects ransomware activity, even across rebrands.