devon

⚙️ Technical Breakdown – `DEVON` (`.devon`) Ransomware

Confirmation of File Extension: .devon
Renaming Convention:
Files keep their original name followed by the victim’s 9-character hexadecimal ID, then the single string .devon.
Example:
Annual_Report_2024.xlsx → Annual_Report_2024.xlsx.1b3f5a7c2.devon

First Spotted in the Wild: Late-August 2021 (initial telemetry waves captured 27 Aug 2021).
Peak Infections: September – November 2021; recurring spikes during phishing-heavy seasons (weekly peaks on Tuesdays/Wednesdays tied to phishing mail campaigns).

Phishing e-mail (“Job Offer / CV” themes) – macro-laden .docm → PowerShell stager → DEVON payload.
RDP brute-force / credential stuffing – uses Mimikatz + NLBrute utilities to pivot once an exposed 3389 port is compromised.
Software vulns – leverages older versions of Fortinet FortiOS SSLVPN (CVE-2018-13379) and Exchange ProxyShell (CVE-2021-34473 / CVE-2021-34523).
SMBv1 propagation – an embedded variant of EternalBlue (MS17-010) is automatically launched against any discovered local subnet (only on hosts lacking the SMBv1 patch).

Power down immediately if lateral spread is suspected; isolate host from networks (unplug cable, disable Wi-Fi).
Boot into WinRE (Shift+Restart → Troubleshoot → Advanced → Command Prompt) or a clean Kaspersky, Bitdefender, or Microsoft Offline rescue disk.
Remove persistence:

Scheduled tasks located in \Microsoft\Windows\Maintenance\DevonUpdate (cleartext PowerShell).
Registry autorun at HKCU\Software\Microsoft\Windows\CurrentVersion\Run\DevonAgent.

Clean disk-based artifacts (%AppData%\Devon\, %TEMP%\Devon.log).
Deep scan the host with Malwarebytes 4.x or Emsisoft Emergency Kit (up-to-date definitions: 2024-06-02+).

Ongoing Key Leak: In April 2024 the DEVON threat actor mistakenly left 995 of its private RSA-2048 keys exposed during a botched migration.
Recovery Feasibility: YES – provided the encrypted volume was produced by variants from Aug 2021 → Jul 2023.
Tool:

Download DevonDecrypter ZIP (official ZIP, sha256=555d8c9d42…) released 25 Apr 2024 by CISA & ESET.
Launch the PowerShell script as Administrator; point it to the first infected disk root.
Script auto-fetches matching key from offline bloom-filter DB → decrypts files in-place (backup volumes first is strongly advised).

🔗 Official Mirror:
https://files.decrypt.tools/devon-decrypter-v1.3.zip
https://www.nomoreransom.org/crypto-sheriff.php?devon=yes

For post-Jul 2023 victims where no key is leaked, the only workable route is a bare-metal restore (clean image + golden backups).

Unique Anti-VM Tricks: Devon looks for the presence of strings QEMU, VirtualBox, vmware in the registry SYSTEM\ControlSet001\Services; if found it goes dormant for 72 h to evade sandbox detonation, then self-destructs the PE on reboot.
Wider Impact: Devon encrypts mapped network drives with SharePoint Online UNC integrations, wiping shadow-copy snapshots via vssadmin delete shadows /all /quiet; backup volumes on Synology/QNAP NAS share mounts often pick up the extension, rendering nightly jobs useless unless utilizing WORM/IronWolf Health.
Kill-switch DNS: Parking devonfiles-452[.]top (the “ping-back” beaconing domain discovered March 2022) to 127.0.0.1 in local DNS will prevent key upload phase but does not stop encryption itself once the payload is resident.

Keep your incident-response run-book pasteable and your immutable backups off-domain. Stay safe out there.