Massive Ransomware Strike: Malaysian ICT Firm Targeted and Held at Ransom

Listen to this Post

Featured Image

Introduction

A quiet but alarming upheaval has just rippled through the Southeast Asian tech scene. On November 4, 2025, intelligence surfaced that HeiTech Padu Berhad — a leading Malaysian ICT service provider — is reportedly the victim of a hefty cyber‑attack. The online gang behind this? Devman, a growing ransomware actor that claims to have exfiltrated 60 GB of data and is demanding a staggering US $500,000 ransom. The hit sends a clear signal: no organization, regardless of geography or size, is immune from the dark web’s shadowy threats.

Summary

According to a social‑media alert by Dark Web Intelligence, HeiTech Padu Berhad (an ICT services firm) has allegedly fallen victim to Devman ransomware. The attackers claim they have taken 60 GB of data and are demanding a ransom of $500 000 for its return. This follows a broader pattern: Devman is no longer just a minor affiliate but is stepping up its operations. Recent threat‑intelligence sources describe Devman as emerging out of the codebase of another prolific ransomware strain, linking into the infamous DragonForce family.

cyble.com

+3

Medium

+3

Hive Pro

+3

In Malaysia specifically, one incident reported on October 28 2025 involved Devman demanding $500 000 after claiming 60 GB of data extraction from a Malaysian company.

dexpose.io

The broader context: ransomware attacks are rising globally, both in volume and sophistication, increasingly targeting non‑traditional sectors beyond finance and healthcare.

Industrial Cyber

For HeiTech, if the claims hold true, this is a critical security breach with implications for clients, reputation, and regulatory exposure.

What Undercode Say:

This incident holds multiple layers of significance.

First, it shows that even ICT service providers — firms one might assume are professionally hardened against cyber‑threats — remain extremely vulnerable. The very organizations whose job is to secure infrastructure are now being targeted as gateways or lucrative high‑value targets themselves.
Second, the ransom demand ($500 k) and claimed data size (60 GB) align with the “double‑extortion” model: exfiltrate, threaten, then encrypt. The fact that Devman claims data extraction before ransom puts them firmly in the modern ransomware playbook: it’s no longer just about locking up files but also about brand damage, leak risk, and regulatory fallout.
Third, Devman’s evolution is notable. Threat intelligence reveals it is a derivative of the DragonForce ransomware family, leaning on its codebase but branching into new territory.

Medium

+2

broadcom.com

+2

This may signal that DragonForce’s infrastructure is fragmenting and spawning new actors — creating a proliferating ecosystem of affiliated threats, making attribution harder and response more complex.
Fourth, for organizations in Southeast Asia and globally: this breach should act as a clarion call. Standard defences (back‑ups, firewalls, anti‑virus) are no longer sufficient. The attackers now assume persistence, lateral movement, supply‑chain access, and the ability to exploit trusted vendors. In the case of HeiTech, as an ICT provider, the risk is even greater: if their systems are compromised, their customers may be exposed too.

Here’s what organizations should learn and act on:

Assume breach, not just attack risk. If you’re a service provider, think about breach impact across supply‑chain.

Segmentation & least privilege matter. The lateral movement capability described in Devman’s reports means once inside, the attacker can access large swaths of network.

Immutable backups must exist — offline, tamper‑proof. If data is stolen, backups alone won’t fix the reputational damage or leak threat.

Continuous threat‑intelligence and dark‑web monitoring are vital. Knowing when you’ve been mentioned in leak forums may give early shot at containment.

Vendor‑risk governance is no longer optional. Organisations must audit and monitor providers and partners proactively.
Finally, this attack might also preview regulatory consequences. For a Malaysian firm, depending on the data compromised (personal data of customers/clients), local privacy laws or contractual obligations may force disclosures, fines or reputational losses.
In short: the HeiTech hit is not just another “I‑locked‑your‑files” event — it is emblematic of the modern ransomware threat: professionalised, supply‑chain aware, double‑extortion oriented, and now targeting tech‑infrastructure suppliers. Service providers must rise to defend in a new paradigm.

Fact Checker Results:

✅ Devman is confirmed as a new ransomware variant derived from the DragonForce family.

Hive Pro

+1

❌ Specific public verification (by HeiTech Padu Berhad) of the 60 GB exfiltration and $500k demand has not yet been disclosed in mainstream media.
✅ Ransomware attacks globally are increasing in sophistication and breadth, beyond traditional sectors.

Industrial Cyber

+1

Prediction:

🔮 Expect a surge of attacks targeting IT and service‑vendors over the next 6‑12 months. Ransomware actors will treat these providers as high‑value “pivot” points, because compromising them gives access to many downstream organisations.
🔮 We’ll likely see more episodes of affiliated ransomware groups (e.g., Devman) splitting off from larger families (like DragonForce) and adopting more aggressive exfiltration + leak‑site models.
🔮 Regulators around the world, especially in APAC, will wake up to the risk of ICT‑provider compromise and may impose stricter vendor‑risk and breach‑notification rules — making these kinds of attacks not just a technical incident but a regulatory nightmare.
🔮 Organisations that ignored supply‑chain risk will face either higher ransom demands or will be publicly shamed via leaked client information — making reputational damage a key part of the perpetrator’s strategy.
🔮 Ultimately, the ransom amounts may continue to rise, but the greatest cost will be downstream: lawsuits, customer losses, vendor‑trust collapse. The era of “just encrypting the network” is giving way to “encrypt + leak + hold all partners hostage.”

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: x.com
Extra Source Hub (Possible Sources for article):
https://www.instagram.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon