Back to Intelligence

DRAGONFORCE Ransomware: 15-Victim Surge — Cross-Sector Blitz & Critical CVE Exploitation

SA
Security Arsenal Team
May 28, 2026
7 min read

Aliases: None publicly confirmed (operations appear under single brand). Model: Ransomware-as-a-Service (RaaS) with affiliate-driven initial access. DRAGONFORCE maintains a centralized leak site and negotiation portal, suggesting a mature profit-sharing model with skilled penetration testers acting as affiliates.

Tactics & Operations:

  • Ransom Demands: Typically ranges from $500k to $5m USD, varying strictly based on victim revenue and perceived data value.
  • Initial Access: Historically relies on exposed internet-facing services. The recent correlation with CISA KEV listings suggests a heavy pivot toward exploiting remote management tools (ConnectWise ScreenConnect) and development utilities (Nx Console).
  • Double Extortion: Strict adherence to double extortion. Victims are given a short countdown (typically 3-5 days) before data is published. Data exfiltration occurs via custom PowerShell uploaders and Rclone prior to encryption.
  • Dwell Time: Short. DRAGONFORCE affiliates typically move laterally and detonate encryption within 48-72 hours of initial access to minimize defender response time.

Current Campaign Analysis

Campaign Velocity: DRAGONFORCE posted 15 new victims on 2026-05-27 alone, indicating a high-velocity campaign likely automated or supported by a large affiliate network.

Sector Targeting: The group is displaying a "spray and pray" approach regarding industry verticals, but with a notable skew towards:

  • Business Services (26%): 4 victims (Practicus, Waypoint Solutions, ERH, Profundo).
  • Consumer Services & Logistics: 3 victims in Consumer Services, 1 in major Logistics (President Container Group).
  • Critical Infrastructure Adjacent: Agriculture & Food Production (2 victims) and Healthcare (Ramos Rheumatology).

Geographic Concentration:

  • Primary: United States (4), United Kingdom (4), Canada (2), Netherlands (2).
  • Secondary: Germany, Italy, Niger. This suggests English-speaking and Western European nations are the primary hunting grounds, with specific interest in supply chain partners (Logistics/Ag).

Initial Access Vectors & CVE Correlation: The inclusion of CVE-2024-1708 (ConnectWise ScreenConnect) and CVE-2026-48027 (Nx Console) in the KEV list alongside this victim surge strongly correlates with the attack vector.

  • CVE-2024-1708: Allows path traversal and RCE. This is a likely vector for the Technology and Business Services victims (Northbridge, Practicus) who likely manage remote endpoints.
  • CVE-2026-48027: The "Nx Console" vulnerability (Embedded Malicious Code) suggests a supply chain or developer-targeted attack, potentially explaining the Technology sector hits.

Detection Engineering

The following detection logic targets the specific TTPs associated with DRAGONFORCE's observed use of ScreenConnect, lateral movement, and data staging.

SIGMA Rules

YAML
title: Potential DragonForce ScreenConnect Exploitation CVE-2024-1708
id: a1b2c3d4-e5f6-4a5b-8c6d-1e2f3a4b5c6d
status: experimental
description: Detects potential exploitation of ConnectWise ScreenConnect authentication bypass or path traversal vulnerabilities associated with DragonForce activity.
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/05/28
tags:
    - attack.initial_access
    - cve.2024.1708
    - dragonforce
logsource:
    category: web
    product: apache
    service: access
detection:
    selection:
        cs-uri-query|contains:
            - 'SetupWizard'
            - 'Target='
            - '.aspx'
        cs-method: 'POST'
    filter:
        sc-status: 200
    condition: selection and filter
falsepositives:
    - Legitimate administrative setup (rare in production)
level: critical
---
title: DragonForce Mass Data Staging via Rclone
description: Detects the use of rclone for data exfiltration, a common tool in DRAGONFORCE double extortion playbooks.
id: b2c3d4e5-f6a7-4b5c-9d7e-2f3g4h5i6j7k
status: experimental
author: Security Arsenal Research
date: 2026/05/28
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\rclone.exe'
            - '\rc.exe'
    condition: selection
level: high
tags:
    - attack.exfiltration
    - dragonforce
---
title: DragonForce Lateral Movement via PsExec
description: Detects PsExec execution patterns consistent with ransomware spread.
id: c3d4e5f6-a7b8-4c5d-0e8f-3g4h5i6j7k8l
status: experimental
author: Security Arsenal Research
date: 2026/05/28
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\psexec.exe'
            - '\psexec64.exe'
        CommandLine|contains:
            - '-accepteula'
            - '\\'
    condition: selection
level: high
tags:
    - attack.lateral_movement
    - attack.t1021.002


**KQL (Microsoft Sentinel)**
kql
// Hunt for DragonForce lateral movement and staging
let TimeFrame = 1d;
DeviceProcessEvents
| where Timestamp >= ago(TimeFrame)
// Look for common ransomware tools and obfuscation
| where ProcessName has_any ("rclone", "powershell", "cmd", "wmi", "psexec", "wbadmin")
// Specific DragonForce indicators: massive file copies or VSS deletion attempts
| where ProcessCommandLine has_any ("delete", "shadow", "copy", "sync", "config", "-enc") 
or ProcessCommandLine contains "C:\\Windows\\Temp"
// Filter for suspicious parent processes (often abused utilities)
| where InitiatingProcessFileName in ("mshta.exe", "excel.exe", "word.exe", "winword.exe", "powershell.exe", "cmd.exe")
| project Timestamp, DeviceName, AccountName, ProcessName, ProcessCommandLine, InitiatingProcessFileName, FolderPath
| order by Timestamp desc


**PowerShell Response Script**
powershell
<#
.SYNOPSIS
    DragonForce Incident Response - Pre-Encryption Triage
.DESCRIPTION
    Checks for signs of DragonForce activity: Scheduled tasks, Rclone,
    recent Shadow Copy manipulations, and unusual SMB connections.
#>

Write-Host "[+] Starting DragonForce Triage Check..." -ForegroundColor Cyan

# 1. Check for Rclone (Data Exfil)
Write-Host "\n[!] Checking for Rclone presence..." -ForegroundColor Yellow
$Paths = @("C:\Windows\Temp\", "C:\Users\Public\", $env:USERPROFILE + "\Downloads\")
$FoundRclone = $false
foreach ($Path in $Paths) {
    if (Test-Path $Path) {
        $Items = Get-ChildItem -Path $Path -Filter "rclone*.exe" -Recurse -ErrorAction SilentlyContinue
        if ($Items) {
            Write-Host "[ALERT] Rclone found at: $($Items.FullName)" -ForegroundColor Red
            $FoundRclone = $true
        }
    }
}
if (-not $FoundRclone) { Write-Host "[OK] No Rclone executables found in common paths." -ForegroundColor Green }

# 2. Check Scheduled Tasks created in last 24h (Persistence)
Write-Host "\n[!] Checking for recently created Scheduled Tasks..." -ForegroundColor Yellow
$Date = (Get-Date).AddDays(-1)
Get-ScheduledTask | Where-Object {$_.Date -gt $Date} | 
    Select-Object TaskName, Date, Author, Actions | Format-Table -AutoSize

# 3. Check Volume Shadow Copy Status (Pre-Encryption)
Write-Host "\n[!] Checking Volume Shadow Copy Storage Usage..." -ForegroundColor Yellow
$vss = vssadmin list shadowstorage
if ($vss -match "No Shadow Copy Storage") {
    Write-Host "[OK] No Shadow Copy Storage found." -ForegroundColor Green
} else {
    Write-Host "[INFO] Current Shadow Copy Storage Status:" -ForegroundColor Cyan
    Write-Host $vss
}

# 4. Check for recent PsExec/WMI Executions (Lateral Movement)
Write-Host "\n[!] Checking Security Event Log for ID 4688 (PsExec/WMI)..." -ForegroundColor Yellow
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue
if ($Events) {
    $Suspicious = $Events | Where-Object {$_.Message -match 'psexec' -or $_.Message -match 'wmic' -or $_.Message -match '-accepteula'}
    if ($Suspicious) {
        Write-Host "[ALERT] Suspicious process execution found:" -ForegroundColor Red
        $Suspicious | Select-Object TimeCreated, Message | Format-List
    } else {
        Write-Host "[OK] No obvious PsExec/WMI execution patterns detected." -ForegroundColor Green
    }
}

Write-Host "\n[+] Triage Complete." -ForegroundColor Cyan

Incident Response Priorities

T-Minus Detection Checklist (Pre-Encryption):

  1. ScreenConnect Logs: Immediate review of ConnectWise ScreenConnect logs for SetupWizard or Target= URI parameters associated with non-admin internal IPs.
  2. Nx Console Audit: Identify developers or sysadmins utilizing Nx Console; quarantine systems running versions vulnerable to CVE-2026-48027.
  3. Mass File Movement: Monitor network traffic for sudden spikes in outbound SMB connections or large uploads to known cloud storage APIs (Mega, Dropbox) or unknown IPs.
  4. Service Shutdowns: Watch for unexpected stops of security agents (EDR/Antivirus) via net stop or sc stop commands.

Critical Assets Prioritized for Exfiltration:

  • Logistics: Customer manifests, shipping routes (high ransom leverage).
  • Healthcare: Patient PHI (Ramos Rheumatology indicates targeting of sensitive data).
  • Professional Services: Client financial data, legal contracts, IP.

Containment Actions (Ordered by Urgency):

  1. Isolate: Disconnect confirmed infected machines from the network immediately; do not shut down (preserve memory artifacts).
  2. Disable: Disable local and domain accounts used by DRAGONFORCE affiliates immediately.
  3. Block: Block IP addresses identified in C2 beaconing at the firewall level.
  4. Patch: Emergency patching of ScreenConnect servers is the highest priority to stop further spread.

Hardening Recommendations

Immediate (24h):

  • Patch ScreenConnect: Apply the patch for CVE-2024-1708 to all ConnectWise ScreenConnect instances immediately. Enforce MFA on all administrative access.
  • Disable Nx Console: If not business-critical, temporarily disable the use of Nx Console until the patch for CVE-2026-48027 is verified.
  • RDP Hardening: Restrict RDP access via firewall policies and enforce Account Lockout policies to prevent brute-forcing.

Short-term (2 weeks):

  • Network Segmentation: Segregate critical servers (Backup, Domain Controllers, EMRs) from general user workstations to impede lateral movement.
  • E-Mail Filtering: Implement strict DMARC/DKIM/SPF records and advanced phishing filters to block initial access vectors.
  • Offline Backups: Ensure backups are immutable and offline to guarantee recovery capability.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangdragonforceransomwarecve-2024-1708nx-consolelogisticshealthcare

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action