[DEVMAN] – Ransomware Victim: fhw[.]org
NOTE: No files or stolen information are exfiltrated, downloaded, taken, hosted, seen, reposted, or disclosed by RedPacket Security. Any legal issues relating to the content should be directed at the attackers, not RedPacket Security. This blog is an editorial notice informing that a company has fallen victim to a ransomware attack. RedPacket Security is not affiliated with any ransomware threat actors or groups and will not host infringing content. The information on this page is automated and redacted whilst being scraped directly from the DEVMAN Onion Dark Web Tor Blog page.
AI Generated Summary of the Ransomware Leak Page
fhw.org, a healthcare organization, is identified as a victim on a ransomware leak page attributed to the actor group devman. The post is dated October 28, 2025, and presents the incident as data theft rather than a traditional encrypt-and-destroy event. The leak page states that approximately 120 GB of fhw.org data has been stolen and lists an initial ransom figure of 700k (USD). The page also displays a range of data-size references and ransom values (e.g., 60 GB, 120 GB, 400 GB) within a grid-like excerpt, suggesting a negotiation framework or variable quotes rather than a single fixed price. The post includes 37 image attachments described as screenshots of internal documents or related imagery, though the contents of those images are not detailed in this summary. A claim URL is indicated on the page, but the specific link is not reproduced here. The content is presented in both English and Russian, with the Russian portion appearing as a recruitment-style note that discusses protecting CIS-region companies and offers rewards for access to targeted networks, while warning against brute-forcing or the use of stealers. A Tox contact is provided for negotiation, though the exact address is redacted in this report.
The page’s post date serves as the publication date since a precise compromise date is not provided. The body excerpt features a dense, tabulated set of “data theft” entries and countdown-style wording such as “Time remaining,” paired with multiple data sizes and ransom figures, which aligns with a multi-scenario extortion approach rather than a single, static demand. The content indicates ongoing exfiltration activity and the potential for data release, consistent with double-extortion tactics commonly used in ransomware campaigns. In addition to the textual content, the leak page hosts a gallery of 37 image attachments—likely internal documents or branding screenshots—though the exact visuals are not described here. Overall, the page confirms fhw.org as a healthcare sector victim, outlines a ransom-and-exfiltration narrative, and includes bilingual messaging and a recruitment impulse that emphasizes monetizing access to CIS-region networks.
Support Our Work
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.
