Introduction

The Devman2 Attack on Newhorizonsmedical.org

On December 1, 2025, the American medical center newhorizonsmedical.org was the victim of a cyberattack orchestrated by devman2, a ransomware group operating on a Ransomware-as-a-Service (RaaS) model. This breach, classified as XC SIGNAL level, exposed a healthcare facility managing sensitive patient records and medical data. The incident illustrates the persistent vulnerability of the healthcare sector to evolving cybercriminal threats, particularly in the United States, where medical infrastructure is a prime target for malicious actors.

Analyse détaillée

This attack comes amid increasing pressure from ransomware groups on American healthcare facilities. The compromise of newhorizonsmedical.org, a medium-sized organization employing between 50 and 100 people, demonstrates that cybercriminals are not only targeting large hospital organizations. Health data, highly valued on the black market, represents a critical issue for both patient confidentiality and the continuity of medical services.

The appearance of this victim on the devman2 leak platform signals an escalation in the group's double extortion tactics. Medical institutions, subject to strict obligations regarding the protection of personal health information (PHI), find themselves particularly vulnerable to threats of public disclosure. This situation raises essential questions about the cybersecurity preparedness of mid-sized healthcare organizations.

The Devman2 Actor

DevMan 2.0 represents the sophisticated evolution of the DevMan ransomware, initially documented in July 2025. This modernized iteration enhances the capabilities of its predecessor by integrating robust double extortion tactics, combining system encryption with the threat of public disclosure of exfiltrated data. The group operates according to a Ransomware-as-a-Service model, offering a structured leak and extortion infrastructure to its affiliates.

The malicious actor targets diverse organizations across multiple economic sectors, including manufacturing, retail, electronics, and now the medical field. Geographically, devman2's operations are primarily concentrated in Japan, Germany, and, as demonstrated by the current incident, the United States. This geographic expansion suggests an opportunistic attack strategy rather than a regionally targeted one.

The group's initial campaigns revealed ransom demands that varied considerably, ranging from approximately $1 million to $10 million USD. This wide range suggests that financial demands are tailored to the size and payment capacity of the victims. The Ransomware-as-a-Service (RaaS) model allows technical affiliates to deploy the ransomware while leveraging the negotiation and leak infrastructure maintained by the core operators.

devman2's leak platform is a central element of its coercive strategy. By progressively releasing samples of stolen data, the group maintains constant psychological pressure on compromised organizations. This methodical approach maximizes the chances of payment while serving as a warning to potential future victims. The deployed technical infrastructure demonstrates the increasing professionalization of ransomware operations.

The victim: Newhorizonsmedical.org

New Horizons Medical is an American medical center founded in 2015, employing between 50 and 100 healthcare professionals. The facility operates in the healthcare sector, managing patient records, protected health data, medical billing systems, and critical personal information on a daily basis. Its mid-sized form places it in a particularly vulnerable category: large enough to hold valuable sensitive data, but often with limited cybersecurity resources compared to large hospital networks.

The organization, accessible via newhorizonsmedical.org, provides essential medical services to its local community. Centers of this size form the backbone of the American healthcare system, ensuring local care and continuity of treatment for thousands of patients. The compromise of such an institution directly impacts patient trust and can significantly disrupt access to care within its service area.

The location in the United States places newhorizonsmedical.org under the jurisdiction of strict regulations such as HIPAA (Health Insurance Portability and Accountability Act), which imposes rigorous obligations for the protection of health information. A medical data breach exposes the organization to substantial regulatory penalties, potential civil lawsuits, and major reputational damage. The indirect costs of such an incident often far exceed the ransom amounts demanded.

Healthcare institutions of this size typically manage information including complete medical histories, test results, prescriptions, insurance data, and detailed personal contact information. This concentration of sensitive information makes them prime targets for cybercriminals. The market value of medical records on underground forums exceeds that of simple financial data, fueling ransomware groups' continued interest in the healthcare sector.

Technical Analysis of the Attack

The incident affecting newhorizonsmedical.org was discovered on December 1, 2025, and classified as XC SIGNAL according to the DataInTheDark methodology. This classification indicates early detection of the attack, based on the victim's appearance on the ransomware group's communication channels. The SIGNAL level typically precedes the public disclosure of stolen data, providing a critical window for incident response and risk mitigation.

The precise nature of the compromised information has not been publicly detailed at this early stage of the incident. However, given the nature of newhorizonsmedical.org's activity, the potentially exposed data likely includes electronic medical records (EMRs), patient identification information, treatment histories, test results, billing data, and personal contact information. These categories of information are prime targets for attacks against healthcare organizations.

The typical modus operandi of devman2 involves an initial infiltration phase, often via unpatched vulnerabilities or targeted phishing campaigns. Once access is established, the group's affiliates conduct internal reconnaissance, identifying critical systems and repositories of sensitive data. Exfiltration generally precedes the ransomware deployment, ensuring the possession of exploitable data even if backups allow for rapid restoration.

The exact timeline of the compromise remains to be documented, but modern ransomware attacks typically extend over several weeks between the initial intrusion and final deployment. This latency period allows attackers to establish robust persistence, map the network environment, and maximize the volume of exfiltrated data. Healthcare facilities, operating continuously, present limited monitoring windows, facilitating these stealthy operations.

The risks associated with this exposure of medical data are numerous and serious. For patients, the exposure of health information can lead to insurance discrimination, medical identity theft, and personal extortion. For the institution, the consequences include HIPAA regulatory penalties, class-action lawsuits, loss of trust, and prolonged operational disruption. Full recovery after such a compromise typically requires several months of coordinated effort.

Blockchain and Traceability to Track the Attack on Newhorizonsmedical.org

Conclusion

The incident involving newhorizonsmedical.org has been certified via the XC-Audit protocol developed by DataInTheDark. This innovative approach uses Polygon blockchain technology to create an immutable and verifiable record of each data breach discovery. Each record receives a unique cryptographic hash, timestamped and anchored in the public blockchain, guaranteeing the authenticity and non-repudiation of the documented information.