[DEVMAN] – Ransomware Victim: www[.]oucru[.]org
NOTE: No files or stolen information are exfiltrated, downloaded, taken, hosted, seen, reposted, or disclosed by RedPacket Security. Any legal issues relating to the content should be directed at the attackers, not RedPacket Security. This blog is an editorial notice informing that a company has fallen victim to a ransomware attack. RedPacket Security is not affiliated with any ransomware threat actors or groups and will not host infringing content. The information on this page is automated and redacted whilst being scraped directly from the DEVMAN Onion Dark Web Tor Blog page.
AI Generated Summary of the Ransomware Leak Page
On November 5, 2025, a ransomware leak post surfaced for www.oucru.org, an education-sector organization based in Vietnam. The post, attributed to the Devman group, frames the incident as a data-theft operation rather than a straightforward encryption event, claiming that sensitive data was exfiltrated from the victim’s network and that a ransom is demanded. The page cites an initial ransom of 500k and notes that 120 GB of data has been stolen, with additional sections listing other data-volume figures (ranging from tens of gigabytes to hundreds of gigabytes) alongside a broad spectrum of dollar amounts in the millions. A countdown-like element accompanies several data-volume entries, which is typical in public leak posts meant to pressure negotiations. A claim URL is indicated as present on the page, suggesting an avenue for verification or negotiation. The leak page also includes a gallery of 37 image attachments described at a high level as screenshots or internal documents, with no detailed descriptions of their contents provided in this summary. The post contains a bilingual component, including a Russian-language section that is translated on the page into English.
The Russian-language portion, as presented with an English translation on the page, appears to convey an affiliate-recruitment message. It states that the attackers are seeking individuals who can provide access to other networks—including systems in Ukraine, Russia, Georgia, and companies owned by CIS-born entities—and promises rewards for successful access. The text outlines conditions such as a minimum deposit (around 10,000 USD) and cautions against brute-forcing or the use of stealers; it also references a forthcoming version (V2.1) and directs interested parties to contact a designated handle via the Tox network. This section signals an intent to scale the operation by enlisting external access providers, which aligns with broader double-extortion or affiliate-driven models observed in ransomware campaigns. The page notes that there are 37 image attachments and reiterates the presence of a claim URL, while continuing to present the data-volume and ransom figures seen earlier. The post does not disclose a publicly stated compromise date beyond the publish date, so the post date is treated as the reference point for timing. The victim remains identified as www.oucru.org.
Support Our Work
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.
