DevMan Ransomware Group Claims Attack on U.S. Financial Firm Sharinc Inc.
DevMan Ransomware Group Targets U.S. Financial Sector, Claims Attack on Sharinc Inc.
Impact Scope
Affected Companies
Industries Affected
Geographic Impact
Related Entities
Threat Actors
Other
Full Report
Executive Summary
On December 28, 2025, the DevMan ransomware group added U.S. financial firm Sharinc Inc. to its list of victims on its dark web leak site. The group claims to have breached the company's network and exfiltrated sensitive data, specifically citing "Financial, Customer data." DevMan is employing a double extortion tactic, threatening to publish the stolen information to pressure the victim into paying a ransom. This attack highlights the significant and ongoing risk that ransomware operations present to the financial sector, where data confidentiality is paramount.
Threat Overview
The DevMan ransomware group, while perhaps not as prolific as some top-tier gangs, represents the persistent threat from numerous small to mid-sized ransomware operations. These groups often use similar tactics, techniques, and procedures (TTPs) as their larger counterparts, typically gaining initial access through common vectors like phishing, exploitation of public-facing vulnerabilities, or compromised credentials purchased from initial access brokers.
By targeting Sharinc Inc., a financial organization, DevMan is aiming for a high-impact attack. The threat to leak customer and financial data is designed to inflict maximum pressure, leveraging the victim's regulatory obligations and the potential for severe reputational damage. This is a classic double extortion strategy: data is encrypted for disruption (T1486 - Data Encrypted for Impact) and stolen for coercion (T1041 - Exfiltration Over C2 Channel).
Technical Analysis
While specific details of the intrusion at Sharinc Inc. are not public, attacks by groups like DevMan typically follow a recognizable pattern based on the ransomware-as-a-service (RaaS) model:
- Initial Access: Often achieved via
T1566 - Phishingcampaigns, exploiting vulnerabilities in remote services like RDP or VPNs (T1133 - External Remote Services), or purchasing access from initial access brokers. - Execution and Persistence: Deployment of commodity backdoors or legitimate remote management tools (e.g., AnyDesk, ScreenConnect) to maintain a foothold.
- Privilege Escalation: Exploiting local vulnerabilities or using tools like Mimikatz to obtain administrative credentials (
T1003 - OS Credential Dumping). - Discovery & Lateral Movement: Scanning the network to identify domain controllers, file servers, and backup systems. Moving laterally using techniques like Pass-the-Hash or compromised RDP credentials.
- Defense Evasion: Disabling security software and deleting shadow copies to prevent recovery (
T1562.001 - Disable or Modify Tools). - Exfiltration & Impact: Data is exfiltrated to cloud storage before the ransomware payload is executed across the network.
Impact Assessment
A successful ransomware attack on a financial firm like Sharinc Inc. can have devastating consequences:
- Financial Loss: Includes the potential ransom payment, recovery costs, regulatory fines, and lost revenue due to business interruption.
- Data Breach: The public release of customer financial data can lead to widespread fraud, identity theft, and a complete loss of customer trust.
- Regulatory Scrutiny: Financial institutions face strict data protection regulations (e.g., GLBA, NYDFS Cybersecurity Regulation). A breach of this nature invites immediate and intense scrutiny from regulators.
- Reputational Damage: The perception of being unable to protect sensitive financial data can be permanently damaging to a financial institution's brand and customer loyalty.
Cyber Observables for Detection
General observables for detecting ransomware activity include:
| Type | Value | Description |
|---|---|---|
| command_line_pattern | vssadmin.exe delete shadows /all /quiet |
Command used to delete Volume Shadow Copies to hinder system recovery. |
| process_name | wmic.exe |
Often used by ransomware for remote process execution and lateral movement. |
| network_traffic_pattern | Large outbound transfers to cloud storage (Mega, Dropbox, etc.) | Indicates data exfiltration prior to encryption. |
| file_name | *.devman |
A hypothetical file extension that could be used by the ransomware. Monitor for mass file renaming. |
Detection & Response
- Behavioral Monitoring: Deploy an EDR solution to detect ransomware TTPs, such as the disabling of security tools, deletion of volume shadow copies, and mass file encryption. (D3-PA: Process Analysis)
- Network Analysis: Monitor for large, anomalous outbound data flows, especially to consumer cloud storage services not used by the business. This is a key indicator of data exfiltration.
- Credential Monitoring: Actively monitor for credential dumping activity using tools like Mimikatz and unusual authentication patterns, such as an administrator account logging into multiple workstations in a short period.
- Backup Integrity: Regularly check the integrity and accessibility of backups. Alert on any attempts to access or delete backup files or management consoles.
Mitigation
- Multi-Factor Authentication (MFA): Enforce MFA on all remote access points (VPN, RDP), email accounts, and critical internal systems to prevent initial access via compromised credentials. (D3-MFA: Multi-factor Authentication)
- Data Backup and Recovery: Maintain a robust backup strategy with offline and immutable backups that are regularly tested. This ensures data can be recovered without paying a ransom. (D3-FR: File Restoration)
- Network Segmentation: Segment the network to prevent ransomware from spreading. Isolate critical assets, like file servers and databases, from user workstations.
- Patch Management: Keep all systems, especially public-facing ones, patched to prevent exploitation of known vulnerabilities.
Timeline of Events
MITRE ATT&CK Mitigations
Multi-factor Authentication
Enforce MFA on all remote access services and sensitive accounts to prevent credential-based intrusions.
Data Backup
Maintain and test immutable, offline backups to ensure recovery capabilities without paying a ransom.
Network Segmentation
Segment networks to contain ransomware spread and protect critical assets from being reached from compromised endpoints.
Privileged Account Management
Restrict administrative privileges and use just-in-time access to limit an attacker's ability to escalate privileges and move laterally.
D3FEND Defensive Countermeasures
To defend against ransomware groups like DevMan, which frequently gain initial access through compromised credentials, implementing Multi-Factor Authentication (MFA) is one of the most effective controls. For a financial firm like Sharinc Inc., MFA should be mandated for all external access points, including VPNs, RDP gateways, and cloud services (e.g., Office 365, AWS). Internally, MFA should be required for access to critical systems, especially for privileged accounts. This creates a significant barrier for attackers, as a stolen password alone is insufficient to gain access. This single control drastically reduces the risk of the most common initial access vectors used by ransomware gangs.
A robust and tested backup strategy is the ultimate safety net against the 'impact' phase of a ransomware attack. Sharinc Inc. and other financial firms must ensure they have a comprehensive backup plan that follows the 3-2-1 rule (three copies of data, on two different media, with one copy off-site). Crucially, at least one copy of the backups must be immutable or stored offline (air-gapped), making it inaccessible to attackers on the network. This prevents ransomware from encrypting or deleting the backups. Regular, automated testing of the restoration process is non-negotiable to ensure that data can be recovered quickly and reliably, allowing the business to restore operations without considering a ransom payment.
To detect ransomware activity before widespread encryption, organizations should employ Endpoint Detection and Response (EDR) tools capable of advanced process analysis. For an attack like the one on Sharinc Inc., this means monitoring for a chain of behaviors indicative of ransomware. For example, an EDR should alert when a process attempts to disable security software, followed by commands to delete Volume Shadow Copies (vssadmin.exe), and then begins rapid file I/O operations across many files. By analyzing the sequence of actions rather than just a single signature, EDR can identify and terminate the ransomware process in its early stages, significantly limiting the damage.
Sources & References
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats