Ransomware Group: DEVMAN

VICTIM NAME: busaba[.]com

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the DEVMAN Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

busaba[.]com, a UK-based hospitality and tourism business, is identified as the victim in a ransomware leak page attributed to the threat actor group “devman.” The leak post is dated September 29, 2025, and states a ransom demand of 580,000 USD. The page frames the incident as a data-leak/extortion operation rather than a pure encryption event, asserting that a substantial volume of data was exfiltrated from busaba[.]com’s network. The narrative includes multiple figures related to data volumes and ransom amounts, presented as a running tally intended to underscore the scope and urgency. The dataset indicates a claim URL is present on the leak page, though the exact address is not disclosed here.

The leak page includes 21 image attachments described as screenshots or internal-document images. These images are hosted on onion services, and their contents are not described in detail within this summary. The presence of these screenshots alongside the ransom notes aligns with a double-extortion tactic, wherein attackers provide visual material to support their claim of data theft while pressuring the victim to respond to the demand.

Contextualizing the activity, the page exhibits a typical extortion pattern: a defined ransom figure, claimed exfiltration of data in varying magnitudes, countdown-like messaging, and instructions to engage via a forum-based channel. Because busaba[.]com operates in the hospitality and tourism sector and is located in the United Kingdom, the incident could carry regulatory and reputational implications should guest or corporate data be implicated. No explicit compromise date is stated beyond the post date listed above; the page presents the breach as publicly disclosed on that date, without a clear timeline for when the intrusion occurred. The leak emphasizes data-leak extortion rather than a straightforward encryption narrative, reflecting the evolving threat landscape facing the sector.