Aliases & Operations: DRAGONFORCE operates as a Ransomware-as-a-Service (RaaS) entity, likely leveraging a customized encryptor based on modern Rust-based codebases observed in the underground since late 2024. They utilize a network of affiliates to conduct initial access and network pivoting.
Tactics & Economics:
- Model: RaaS with affiliate splits (typically 70-80% to affiliate).
- Ransom Demands: Historically range from $500,000 to $5 million USD, varying strictly by victim revenue.
- Initial Access: Primarily via phishing campaigns delivering malicious macros (leading to Cobalt Strike beacons) and exploitation of exposed VPN/RDP services.
- Double Extortion: Aggressive double extortion strategy; data is exfiltrated to dedicated cloud storage prior to encryption, with leak site pressure applied within 48-72 hours of notification failure.
- Dwell Time: Average dwell time is approximately 5 to 9 days before detonation, allowing for extensive credential dumping and lateral movement.
Current Campaign Analysis
Campaign Velocity: A significant surge in activity was observed on 2026-05-25, with 11 out of the 16 recent victims posted on a single day. This indicates a high-volume "bulk" posting strategy by the group or a specific affiliate completing multiple encryptors simultaneously.
Sector Targeting: The current campaign shows a distinct pivot towards professional and consumer-facing services:
- Business Services (37.5%): Dominant sector including CPA firms (ggroupcpas), adjustment firms (allianceadjustment), and record keeping (businessrecord).
- Agriculture & Food (12.5%): Targeting supply chain stability (vegfresh, Heartland Growers).
- Construction & Manufacturing (25%): Industrial targets in CA and GB.
Geographic Spread:
- North America (US/CA): 50% of victims. The US is the primary target (6 victims).
- Europe (DE, ES, GB, NL): Significant presence (31%), with the UK and Netherlands specifically hit.
CVE & Vectors: While no CISA KEV was directly matched in the immediate window, DRAGONFORCE affiliates frequently exploit legacy VPN appliances (Fortinet/VPN vulnerabilities) and utilize valid credentials obtained via infostealers for initial access. The targeting of Business Services often suggests supply chain compromise or credential stuffing.
Detection Engineering
The following detection logic targets DRAGONFORCE's known TTPs: lateral movement via PsExec/WMI, PowerShell staging, and the destruction of Volume Shadow Copies which precedes their encryption routine.
YAML
title: Potential Ransomware Lateral Movement via PsExec
id: b6f20e1a-8ea6-4a0b-b3c1-2e8594e8a3d5
description: Detects the use of PsExec or similar tools for lateral movement, a common TTP for DRAGONFORCE affiliates prior to encryption.
status: experimental
date: 2026/05/27
author: Security Arsenal
references:
- https://securityarsenal.com/threat-intel
tags:
- attack.execution
- attack.t1569.002
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\psexec.exe'
- '\psexec64.exe'
- '\paexec.exe'
condition: selection
falsepositives:
- Administrative activity
level: high
---
title: Suspicious PowerShell EncodedCommand Pattern
description: Detects PowerShell execution with heavily encoded commands often used by DRAGONFORCE loaders to evade detection.
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
status: experimental
date: 2026/05/27
author: Security Arsenal
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\powershell.exe'
CommandLine|contains: ' -Enc '
filter_legit:
User: 'NT AUTHORITY\SYSTEM'
condition: selection and not filter_legit
level: medium
---
title: Deletion of Volume Shadow Copies via VssAdmin
id: c3d4e5f6-7890-1234-5678-90abcdef1234
status: experimental
date: 2026/05/27
author: Security Arsenal
description: Detects attempts to delete Volume Shadow Copies, a critical step in DRAGONFORCE's playbook to prevent recovery.
references:
- https://attack.mitre.org/techniques/T1490/
tags:
- attack.impact
- attack.t1490
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\vssadmin.exe'
CommandLine|contains: 'delete shadows'
condition: selection
falsepositives:
- System administration (rare)
level: critical
**KQL (Microsoft Sentinel) — Hunt for Staging Activity**
kql
// Hunt for suspicious file staging patterns (rapid creation of zip/7z files in temp dirs)
DeviceFileEvents
| where Timestamp > ago(7d)
| where ActionType in ("FileCreated", "FileModified")
| where FolderPath contains "\\Temp\\" or FolderPath contains "\\AppData\\Local\\Temp"
| where FileName endswith ".zip" or FileName endswith ".7z" or FileName endswith ".rar"
| summarize Count=count(), DistinctFiles=dcount(FileName) by DeviceName, InitiatingProcessAccountName, bin(Timestamp, 5m)
| where Count > 10
| project DeviceName, InitiatingProcessAccountName, Count, TimeGenerated
**Rapid Response Script — PowerShell**
powershell
# DRAGONFORCE Response Check: Enumerate Suspicious Scheduled Tasks
# This script checks for tasks created in the last 7 days not signed by Microsoft.
Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddDays(-7)} | ForEach-Object {
$taskInfo = $_
$taskAction = $taskInfo.Actions.Execute
$taskAuthor = (Get-ScheduledTaskInfo -TaskName $taskInfo.TaskName -TaskPath $taskInfo.TaskPath).Author
# Flag tasks running from temp or appdata, or unsigned binaries
if ($taskAction -match "Temp|AppData" -and $taskAuthor -notmatch "Microsoft|NVIDIA|Intel") {
Write-Host "[!] Suspicious Task Found: $($taskInfo.TaskName)" -ForegroundColor Red
Write-Host " Author: $taskAuthor"
Write-Host " Action: $taskAction"
}
}
---
# Incident Response Priorities
Based on DRAGONFORCE's observed dwell time and behavior:
1. **T-Minus Detection Checklist:**
* **Check for PsExec/WMI:** Immediate hunt for `psexec.exe` or `wmiprvse.exe` spawning abnormal child processes.
* **Volume Shadow Copy Status:** Verify if VSS storage is abnormally low or if `vssadmin` has run recently.
* **Mass File Renaming:** Look for processes renaming files in bulk (changing extensions to `.locked` or encrypted variants).
2. **Critical Assets for Exfiltration:**
DRAGONFORCE prioritizes high-value data for extortion:
* Financial databases (Accounting/CPA firms).
* Client PII/PHI (Business Services/Healthcare adjacent).
* Proprietary manufacturing schematics (Manufacturing targets).
3. **Containment Actions:**
* **Disconnect:** Isolate affected segments immediately; DRAGONFORCE moves fast laterally.
* **Reset Credentials:** Force reset for all privileged accounts (Domain Admins) and service accounts used in the last 14 days.
* **Suspend VPN:** Suspend VPN access for non-essential staff and audit active sessions.
---
# Hardening Recommendations
**Immediate (24h):**
* **Disable RDP:** Close RDP (TCP 3389) from the internet. Require VPN for all remote access.
* **Macro Blocking:** Enforce Group Policy to disable macros in documents from the internet.
* **MFA Enforcement:** Ensure MFA is active on all VPN gateways and webmail services; enforce conditional access policies.
**Short-term (2 weeks):**
* **Network Segmentation:** Segment critical business servers (Finance, HR) from user workstations to impede lateral movement.
* **EDR Rollout:** Ensure Endpoint Detection and Response coverage is 100% on servers; DRAGONFORCE tools are often fileless memory-resident.
* **Access Review:** Revoke unnecessary local admin rights across the Business Services and Construction departments.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
darkwebransomware-gangdragonforceransomwarebusiness-servicesinitial-accessdetection-engineering
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.