Back to Intelligence

DRAGONFORCE Ransomware: 15 New Victims Posted — Cross-Sector Targeting Analysis & Detection Rules

SA
Security Arsenal Team
May 28, 2026
6 min read

Threat Actor Profile — DRAGONFORCE

Aliases: None confirmed (likely distinct from DragonForce 2.0). Model: Ransomware-as-a-Service (RaaS) with affiliates specializing in network penetration. Ransom Demands: Estimated $500,000 to $3,000,000 USD based on victim revenue tiers observed in recent postings. Initial Access: Heavily reliant on unpatched external-facing appliances (VPNs, Firewalls) and remote management software (ScreenConnect, RDP). The recent cluster of CVEs suggests a shift toward exploiting enterprise management infrastructure. Tactics: Double extortion is standard. Data is staged for exfiltration prior to encryption. DRAGONFORCE affiliates have been observed using Cobalt Strike beacons for lateral movement and custom PowerShell scripts for discovery. Dwell Time: Short to moderate (3–10 days). The group moves quickly from initial access to exfiltration to maximize pressure before detection.

Current Campaign Analysis

Sectors Targeted

The May 27, 2026 posting dump indicates a diverse but focused campaign:

  • Business Services & Consumer Services: 5 victims total (e.g., practicus.co.uk, ksmart.ca). This sector is targeted for high volume PII and business-sensitive data.
  • Transportation & Logistics: High impact targeting (President Container Group).
  • Technology & Manufacturing: 3 victims combined (northbridge.com, fabbricausa.com), suggesting supply chain targeting.
  • Healthcare: Ramos Rheumatology (US) indicates a willingness to target sensitive HIPAA-regulated data despite increased scrutiny.

Geographic Concentration

Primarily US (4), GB (4), and Western Europe (NL, DE, IT). There is a notable lack of targeting in LATAM or APAC in this specific batch, suggesting English-speaking affiliates or timezone-specific operations.

Victim Profile

Targets range from mid-market specialty firms (Ramos Rheumatology, Waypoint Solutions) to larger logistics entities. The selection of Agri-Food (Dunasgroen, Pieralisi) suggests opportunistic scanning of vertical-specific software.

Escalation Patterns

A "mass posting" event occurred on 2026-05-27, releasing 15 victims simultaneously. This pattern is typical of RaaS operations where affiliates batch-process negotiations that have stalled or failed.

CVE Correlation

There is a strong correlation between the recent victims and the CVE-2024-1708 (ConnectWise ScreenConnect) vulnerability. Given the prevalence of ScreenConnect in managed IT environments (Business Services and Tech sectors), this is the likely primary vector for the recent surge. Additionally, CVE-2025-52691 (SmarterMail) may have facilitated access to the Technology and Business Services victims.

Detection Engineering

SIGMA Rules

YAML
---
title: Potential ScreenConnect Authentication Bypass Exploitation
id: c8a3b1c2-4f5e-6a7b-8c9d-0e1f2a3b4c5d
description: Detects potential exploitation of CVE-2024-1708 in ConnectWise ScreenConnect via suspicious URI patterns or abnormal process execution paths.
status: experimental
date: 2026/05/29
author: Security Arsenal Research
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
tags:
    - attack.initial_access
    - attack.t1190
    - cve.2024.1708
logsource:
    category: web
detection:
    selection:
        cs-uri-query|contains:
            - '/Bin/ScreenConnect.ashx'
            - 'Host='
        cs-method: 'POST'
    filter_legit:
        cs-user-agent|contains: 'ScreenConnect'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate administrative access via unusual user agents
level: critical

---
title: SmarterMail Unrestricted File Upload Exploitation
id: d9b4c2d3-5e6f-7b8c-9d0e-1f2a3b4c5d6e
description: Detects exploitation of CVE-2025-52691 in SmarterTools SmarterMail via suspicious file upload patterns to "/LiveChat/" or similar endpoints.
status: experimental
date: 2026/05/29
author: Security Arsenal Research
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
tags:
    - attack.initial_access
    - attack.t1190
    - cve.2025.52691
logsource:
    category: web
detection:
    selection:
        cs-uri-query|contains:
            - '.aspx'
        cs-uri-stem|contains:
            - '/LiveChat'
        cs-method: 'POST'
    condition: selection
falsepositives:
    - Legitimate chat file attachments
level: high

---
title: Ransomware Pattern - Shadow Copy Deletion via VssAdmin
id: e0c5d3e4-6f7g-8c9d-0e1f-2a3b4c5d6e7f
description: Detects attempts to delete shadow copies using vssadmin, a common precursor to encryption by DRAGONFORCE and other ransomware groups.
status: experimental
date: 2026/05/29
author: Security Arsenal Research
tags:
    - attack.impact
    - attack.t1490
logsource:
    category: process_creation
detection:
    selection:
        Image|endswith: '\vssadmin.exe'
        CommandLine|contains:
            - 'delete shadows'
            - 'resize shadowstorage'
    condition: selection
falsepositives:
    - System administration tasks
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for lateral movement and potential DRAGONFORCE staging activity
// Looks for PsExec, WMI, and SMB activity often used before encryption
let TimeFrame = 1d;
DeviceProcessEvents  
| where Timestamp >= ago(TimeFrame)
| where ProcessVersionInfoCompanyName in ('Microsoft Corporation', 'Sysinternals') or ProcessVersionInfoOriginalFileName in ('psexec.exe', 'psexec64.exe', 'wmic.exe')
| where ProcessCommandLine has any("\\\\", "-accepteula", "process call create")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc

PowerShell Script

PowerShell
<#
.SYNOPSIS
    Rapid Response Script for DRAGONFORCE Indicators
.DESCRIPTION
    Checks for recent scheduled task creation (persistence) and 
    abnormal Volume Shadow Copy Service (VSS) state (destruction).
#>

Write-Host "[+] Checking for Scheduled Tasks created in the last 7 days..."
$Date = (Get-Date).AddDays(-7)
Get-ScheduledTask | Where-Object { $_.Date -gt $Date } | Select-Object TaskName, TaskPath, Date, Author

Write-Host "[+] Checking Volume Shadow Copy Storage status..."
try {
    $vss = Get-WmiObject -Class Win32_ShadowCopy -ErrorAction Stop
    if ($vss) {
        Write-Host "[!] Found Shadow Copies:" -ForegroundColor Green
        $vss | Select-Object ID, VolumeName, InstallDate
    } else {
        Write-Host "[!!!] CRITICAL: No Shadow Copies found. Possible deletion event." -ForegroundColor Red
    }
} catch {
    Write-Host "[Error] Could not query VSS: $_" -ForegroundColor Yellow
}

Write-Host "[+] Checking for unusual RDP connections (last 24h)..."
$RDPEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue | 
Where-Object {$_.Message -match 'Logon Type: 10' -and $_.Message -notmatch 'Source Network Address: -'} 
if ($RDPEvents) { $RDPEvents | Select-Object TimeCreated, Message } else { Write-Host "No external RDP logons found." }

Incident Response Priorities

T-minus Detection Checklist

  1. ScreenConnect Audit: Immediate review of ScreenConnect logs for web shell creation or anomalous session launches on 2026-05-26 through 2026-05-29.
  2. Exchange/Mail Server Logs: Hunt for IIS logs indicating deserialization attacks on /Autodiscover or /EWS endpoints (linked to CVE-2023-21529).
  3. Scheduled Tasks: Look for tasks named "Update," "Chrome," or "Defender" created by non-system accounts in the last 48 hours.

Critical Assets for Exfiltration

Based on the victim profile, DRAGONFORCE prioritizes:

  • Patient Records (Healthcare): Ramos Rheumatology suggests high value in PHI.
  • Client Lists/Contracts (Business Services): Practicus and Waypoints Solutions indicate targeting of B2B relationship data.
  • Intellectual Property (Manufacturing/Tech): Pieralisi and Northbridge suggest CAD files or proprietary source code are targeted.

Containment Actions (Ordered by Urgency)

  1. Isolate: Disconnect identified victims and any management servers (ScreenConnect, RMM) from the network immediately.
  2. Disable Accounts: Suspend service accounts associated with VPNs and Exchange servers.
  3. Block IPs: Firewall block on external IPs found in suspicious IIS or ScreenConnect logs.

Hardening Recommendations

Immediate (24 Hours)

  • Patch CVE-2024-1708: Ensure all ConnectWise ScreenConnect instances are updated to the latest patched version immediately.
  • MFA Enforcement: Enforce phishing-resistant MFA on all VPN and remote access portals.
  • RDP Restriction: Disable RDP from the internet; enforce ZTNA or VPN-only access.

Short-term (2 Weeks)

  • Network Segmentation: Separate IT management tools from production segments. The attackers leveraged management consoles to pivot.
  • Egress Filtering: Implement strict egress rules on mail servers and web servers to prevent C2 beaconing and data exfiltration.
  • Audit Service Accounts: Review permissions for service accounts linked to Exchange and Cisco FMC (CVE-2026-20131).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangdragonforceransomwarescreenconnectcve-2024-1708lateral-movementhealthcare

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action