Ransomware Group: DEVMAN

VICTIM NAME: www[.]chicagobotanic[.]org

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the DEVMAN Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

The leak page concerns the US-based educational institution operating under the domain www[.]chicagobotanic[.]org[.] The post is attributed to theDevMan group and is dated September 29, 2025. It presents a data-extortion narrative rather than a straightforward encryption event, claiming that sensitive data from the victim has been exfiltrated and that a ransom is demanded. The stated ransom amount is USD 590,000. The page designates the victim’s sector as Education and includes a gallery of 26 image attachments intended as evidence of the breach; no direct download links are shown on the page itself. The post’s chronology and format align with typical ransomware leak pages that publicly pressure victims to pay.

The body text on the page appears to enumerate numerous data-volume figures and ransom-related references, with claims of exfiltrated data ranging from hundreds of gigabytes to multiple terabytes. The content also contains forum-style extortion language, including a minimum deposit requirement (listed as USD 10,000) and guidelines for affiliates, along with a directive to contact the attackers via private messages on the forum. When viewed together with the 26 image attachments, the material presents a public-facing effort to showcase evidence and pressure the victim into payment. The page does not reveal accessible download options beyond the showcased images.

For defenders, this case underscores the ongoing prevalence of extortion-driven ransomware tactics targeting educational institutions. The combination of image-backed evidence, a mid-range ransom demand (USD 590,000), and forum-based affiliate guidelines reflects common patterns in modern data-leak campaigns. Organizations should assess their backups and data-handling practices, monitor threat-actor forums for related leak pages, and coordinate with incident response and law enforcement as appropriate when confronted with such postings.