Intelligence Briefing Date: 2026-05-28
Source: ransomware.live (Live Dark Web Leak Site Monitor)
Analyst: Security Arsenal Intel Unit
Threat Actor Profile — DRAGONFORCE
DRAGONFORCE operates as a aggressive Ransomware-as-a-Service (RaaS) entity, recently observed pivoting from strictly industrial targets to a broader "spray and pray" approach affecting professional services and healthcare.
- Aliases: DragonForce (no confirmed rebrands yet, but tactics mirror defunct Twisted Spider operations).
- Model: RaaS with affiliate network. Affiliates handle initial access; core team develops encryption.
- Ransom Demands: $500,000 to $5,000,000 USD, typically demanding 10-20% of annual revenue based on stolen financials.
- Initial Access: Heavily reliant on external remote services. Dominant vectors include ConnectWise ScreenConnect exploitation, Microsoft Exchange vulnerabilities, and unsecured RDP/VPN endpoints.
- Extortion Strategy: Double extortion. Victims are posted to the leak site immediately after the timer expires (usually 3-5 days).
- Dwell Time: Short (average 3-7 days). The group moves rapidly from initial access to exfiltration to encryption.
Current Campaign Analysis
DRAGONFORCE executed a significant mass-posting event on 2026-05-27, listing 15 victims across diverse geographies. This indicates a high-volume exploitation phase, likely leveraging the ConnectWise ScreenConnect (CVE-2024-1708) vulnerability which surged in exploitation following its CISA KEV addition in April.
Targeted Sectors
The attack footprint has broadened from traditional manufacturing to:
- Transportation & Logistics: High-value targets (e.g., President Container Group).
- Technology: Software and IT services (e.g., Northbridge, Nemd).
- Agriculture/Food: Critical infrastructure disruption (e.g., Dunasgroen, Pieralisi).
- Healthcare: Ramos Rheumatology (US).
Geographic Concentration
- Primary: United Kingdom (GB), Canada (CA), Netherlands (NL).
- Secondary: United States (US), Singapore (SG), Italy (IT), Germany (DE).
Victim Profile
- Size: Mid-Market to Upper-Mid-Market ($50M - $1B revenue).
- Infrastructure: Heavy reliance on on-premise Exchange servers and remote access tools (ScreenConnect) is evident based on the exploited CVEs.
Observed Patterns & CVE Connection
The rapid-fire posting of 15 victims in 24 hours suggests automated deployment following successful exploitation of:
- CVE-2024-1708 (ConnectWise ScreenConnect): Likely entry point for Technology and Business Services victims.
- CVE-2025-52691 / CVE-2026-23760 (SmarterTools SmarterMail): Probable vector for the Consumer Services and Ag/Food sectors running mail gateways.
- CVE-2026-20131 (Cisco Secure Firewall): Potential bypass for network perimeter controls in larger logistics entities.
Detection Engineering
SIGMA Rules (Consolidated)
YAML
---
title: Potential ScreenConnect Authentication Bypass (CVE-2024-1708)
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
description: Detects potential exploitation of ConnectWise ScreenConnect path traversal vulnerability leading to authentication bypass.
status: experimental
date: 2026/05/28
author: Security Arsenal
references:
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
category: web
detection:
selection:
cs-uri-query|contains:
- '_uri=%2f'
- 'path='
filter:
cs-uri-stem|contains:
- 'Login'
- 'Setup'
condition: selection and filter
falsepositives:
- Legitimate administrative login attempts (rare with this URI pattern)
tags:
- cve.2024.1708
- initial.access
- ransomware.dragonforce
---
title: SmarterMail Unrestricted File Upload (CVE-2025-52691)
id: b2c3d4e5-6789-01bc-def2-234567890abc
description: Detects suspicious file upload patterns in SmarterMail logs indicative of exploitation.
status: experimental
date: 2026/05/28
author: Security Arsenal
logsource:
product: windows
service: iis
detection:
selection:
cs-uri-stem|contains: '/Services/Mail.asmx'
selection_ext:
cs-uri-query|contains:
- '.aspx'
- '.ashx'
condition: selection and selection_ext
tags:
- cve.2025.52691
- webshell
- initial.access
---
title: DragonForce Typical Lateral Movement via PsExec
id: c3d4e5f6-7890-12cd-ef23-345678901bcd
description: Detects PsExec execution patterns often used by DRAGONFORCE for lateral spread.
status: experimental
date: 2026/05/28
author: Security Arsenal
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\psexec.exe'
CommandLine|contains:
- '-accepteula'
- '-s'
condition: selection
tags:
- execution
- lateral.movement
- attack.s1029
KQL Hunt Query (Microsoft Sentinel)
Hunt for pre-encryption staging, specifically mass file encryption or Shadow Copy deletion.
KQL — Microsoft Sentinel / Defender
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has any('vssadmin', 'wbadmin', 'bcdedit')
| where ProcessCommandLine has any('delete', 'shadow', 'resize', 'quiet')
| project Timestamp, DeviceName, AccountName, FolderPath, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc
PowerShell Rapid Response Script
Enumerate suspicious scheduled tasks created in the last 24 hours, a common persistence mechanism for DRAGONFORCE.
PowerShell
<#
.SYNOPSIS
Checks for Scheduled Tasks created/modified in the last 24 hours.
.DESCRIPTION
DragonForce often utilizes Scheduled Tasks for persistence. This script identifies anomalies.
#>
$DateThreshold = (Get-Date).AddDays(-1)
Get-ScheduledTask | ForEach-Object {
$TaskInfo = $_
$TaskXml = Export-ScheduledTask -TaskName $TaskInfo.TaskName -TaskPath $TaskInfo.TaskPath
# Parse XML to find creation/modification dates if available in metadata,
# otherwise check file modification time in task folder (approximate)
$TaskPath = "$env:SystemRoot\System32\Tasks" + $TaskInfo.TaskPath + $TaskInfo.TaskName + ".xml"
if (Test-Path $TaskPath) {
$FileProp = Get-Item $TaskPath
if ($FileProp.LastWriteTime -gt $DateThreshold) {
Write-Warning "[!] Suspicious Recent Task: $($TaskInfo.TaskName)"
Write-Host " Path: $($TaskInfo.TaskPath)"
Write-Host " Last Write: $($FileProp.LastWriteTime)"
Write-Host " Author: $($TaskXml.Task.Author)`n"
}
}
}
---
Incident Response Priorities
T-Minus Detection Checklist (Pre-Encryption)
- Check ScreenConnect Logs: Review
ScreenConnect_<WebSite>_Log.txtfor URI anomalies on 2026-04-28 to present. - Exchange IIS Logs: Hunt for
POSTrequests to/ecp/or/owa/containing deserialization payloads. - MFA Audits: Identify any accounts that recently bypassed MFA or logged in from new geolocations (NE, SG, NL).
Critical Assets for Exfiltration
DRAGONFORCE focuses on data that disrupts operations:
- Logistics manifests and shipment schedules (Transportation sector).
- Source code and IP repositories (Technology sector).
- Patient records (Healthcare).
Containment Actions
- Isolate: Immediately disconnect internet-facing Exchange and ScreenConnect servers from the internal network.
- Disable: Disable local administrator accounts on endpoints.
- Suspend: Suspend integration accounts used for EDI/logistics data transfer.
Hardening Recommendations
Immediate (24 Hours)
- Patch Critical CVEs: Apply patches for CVE-2024-1708 (ScreenConnect) and CVE-2026-23760 (SmarterMail) immediately.
- Block Access: Restrict access to
/Setupand/Loginpaths on ScreenConnect interfaces to known IP ranges via WAF. - MFA Enforcement: Enforce hardware-token based MFA for all remote access (VPN/RDP) and cloud email admin consoles.
Short-Term (2 Weeks)
- Network Segmentation: Move Exchange and Remote Access tools to a dedicated DMZ with strict egress filtering.
- EDR Deployment: Ensure EDR coverage is 100% on critical servers, specifically monitoring for
PsExecandWMIexecution. - Backup Integrity: Perform a restore test of your most recent offline backup.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebransomware-gangdragonforceransomwarecve-2024-1708logistics-attackssmartermailthreat-intel
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.