Back to Intelligence

DRAGONFORCE Ransomware: 25 New Victims — Manufacturing & Services Targeted via RMM & Firewall Exploits

SA
Security Arsenal Team
May 29, 2026
8 min read

DRAGONFORCE has posted 25 new victims to its leak site in the last week, marking a significant acceleration in attack cadence. The group is disproportionately targeting the Manufacturing, Business Services, and Transportation/Logistics sectors across the US, UK, Canada, and Europe. Intelligence suggests a heavy reliance on exploiting vulnerabilities in remote management and perimeter security devices, specifically CVE-2024-1708 (ConnectWise ScreenConnect) and CVE-2026-20131 (Cisco Secure Firewall). Enterprise defenders in these sectors should immediately prioritize patching these CISA Known Exploited Vulnerabilities (KEV) and hunting for signs of RMM abuse.

Threat Actor Profile — DRAGONFORCE

  • Aliases: DF, Team DragonForce (Not to be confused with the generic script kiddie group from 2021; this is an evolution of the 2024-era operations).
  • Operational Model: Ransomware-as-a-Service (RaaS). DRAGONFORCE operates an affiliate program that aggressively recruits access brokers specializing in perimeter exploitation.
  • Ransom Demands: Variable, typically ranging from $500k to $5m USD depending on victim revenue, with aggressive negotiations pushing for payment within 48-72 hours of initial contact to prevent leak site publication.
  • Initial Access Vectors: Currently pivoting away from pure phishing to vulnerability exploitation. Access is primarily gained via unpatched VPNs, RMM tools (ScreenConnect), and edge firewalls (Cisco FMC).
  • Double Extortion: Standard playbook. Exfiltration occurs 3-7 days prior to encryption. Data is hosted on their TOR site; pressure is applied via email campaigns to victim partners and stakeholders.
  • Dwell Time: Shortening. Recent data indicates an average dwell time of 4-5 days between initial access and detonation, reducing the window for detection.

Current Campaign Analysis

Sector & Geographic Targeting

DRAGONFORCE’s latest posting spree reveals a calculated shift towards mid-market industrial and service firms.

  • Top Sectors: Manufacturing (Henry Molded Products, President Container), Transportation/Logistics, and Business Services (practicus.co.uk, waypointsolutions.com). Hospitality (Shoreline Sightseeing) is a secondary but consistent target.
  • Geographic Focus: US (40%), GB (26%), CA (13%), and NL (13%). The concentration in US and UK suggests a specific focus on English-speaking economies with higher insurance payout capacities.

Victim Profile

  • Size: Mid-market enterprises ($50M - $500M revenue).
  • Infrastructure: Victims typically operate on-premise Exchange servers or utilize managed service providers (MSPs) relying on ScreenConnect.

CVE & Exploitation Intelligence

The group is actively exploiting the following CISA KEVs for initial access:

  1. CVE-2024-1708 (ConnectWise ScreenConnect): Used to gain authenticated RCE on exposed management interfaces. This is the primary vector for the Business Services and Technology victims.
  2. CVE-2026-20131 (Cisco Secure Firewall): Likely utilized against victims like northbridge.com (Technology) and logistics firms with heavy network infrastructure.
  3. CVE-2025-52691 (SmarterMail): Used for email server entry, facilitating credential harvesting and internal phishing.
  4. CVE-2026-48027 (Nx Console): A newer addition, targeting technology/development environments to inject malicious code.

Escalation Pattern

Posts on 2026-05-27 (13 victims) and 2026-05-29 (2 victims) indicate a "burst" pattern, likely following a weekend mass-exploitation effort against unpatched systems.

Detection Engineering

SIGMA Rules

YAML
title: Potential DRAGONFORCE ScreenConnect Authentication Bypass
id: 0c8e3d1a-1f4b-4c9e-8b1a-2c3d4e5f6a7b
description: Detects potential exploitation of CVE-2024-1708 involving suspicious path traversal or authentication anomalies in ConnectWise ScreenConnect.
author: Security Arsenal Research
date: 2026/05/30
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
status: experimental
logsource:
    category: web
    product: screenconnect
detection:
    selection:
        c-uri|contains:
            - '/LiveEvents/*'
            - '/Bin/*'
        cs-method: POST
    filter:
        cs-user-agent|contains: 'ScreenConnect'
    condition: selection and not filter
falsepositives:
    - Legitimate administrative access
level: high
tags:
    - cve.2024.1708
    - attack.initial_access
    - dragonforce

---
title: DRAGONFORCE Cisco FMC Deserialization Exploitation Attempt
id: a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d
description: Detects suspicious deserialization activity indicative of CVE-2026-20131 exploitation on Cisco Secure Firewall Management Center.
author: Security Arsenal Research
date: 2026/05/30
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
status: experimental
logsource:
    category: firewall
    product: cisco
detection:
    selection:
        dst_port: 443
        protocol|contains: 'http'
        http_method: POST
        url|contains:
            - '/fsui/logon'
            - '/fsui/download'
        payload|contains|base64:
            - 'ysoserial'
            - 'CommonsCollections'
    condition: selection
falsepositives:
    - Unknown
level: critical
tags:
    - cve.2026.20131
    - attack.initial_access
    - dragonforce

---
title: DRAGONFORCE Ransomware Pre-Encryption Activity (Vssadmin)
id: b2c3d4e5-f6a7-4b5c-9d0e-1f2a3b4c5d6e
description: Detects execution of vssadmin.exe to delete shadow copies, a common precursor to DRAGONFORCE encryption.
author: Security Arsenal Research
date: 2026/05/30
status: experimental
logsource:
    category: process_creation
    product: windows
detection:
    selection:
    - Image|endswith: '\vssadmin.exe'
    - CommandLine|contains:
        - 'delete shadows'
        - 'resize shadowstorage'
    condition: selection
falsepositives:
    - System administration (rare)
level: high
tags:
    - attack.impact
    - dragonforce
    - t1490

KQL (Microsoft Sentinel)

Hunt for lateral movement and data staging indicators associated with this campaign.

KQL — Microsoft Sentinel / Defender
// Hunt for suspicious lateral movement and data staging
let TimeFrame = ago(7d);
DeviceProcessEvents
| where Timestamp > TimeFrame
// Look for lateral movement tools or admin abuse
| where (ProcessVersionInfoOriginalFileName in ('PsExec.exe', 'psexecsvc.exe', 'wmi.exe', 'wmic.exe') 
         or FileName in ('powershell.exe', 'cmd.exe', 'cscript.exe')) 
// And look for arguments suggestive of remote access or data exfil
and (CommandLine has "Invoke-Command" 
     or CommandLine has "New-Object System.Net.WebClient" 
     or CommandLine has "DownloadString" 
     or CommandLine has "-enc " 
     or CommandLine has "/C:" )
// Correlate with network connections to non-corporate IPs or RMM ports
| join kind=inner (DeviceNetworkEvents 
    | where Timestamp > TimeFrame 
    | where RemotePort in (445, 135, 139, 3389, 8040, 8041) // Common RMM/RDP ports
    | distinct DeviceId, RemoteIP) on DeviceId
| project Timestamp, DeviceName, FileName, ProcessCommandLine, RemoteIP, RemotePort, InitiatingProcessAccountName
| summarize count() by DeviceName, FileName
| order by count_ desc

PowerShell - Rapid Response Script

Check for signs of DRAGONFORCE staging, specifically looking for recently added scheduled tasks and unusual VSS manipulation.

PowerShell
<#
.SYNOPSIS
    DRAGONFORCE Response Hunt Script
.DESCRIPTION
    Checks for VSS manipulation, scheduled tasks created in the last 48h, 
    and unusual PowerShell execution patterns.
#>

Write-Host "[+] Hunting for DRAGONFORCE Indicators of Compromise..." -ForegroundColor Cyan

# 1. Check for recent VSS Shadow Copy deletions in Event Logs
Write-Host "\n[*] Checking for VSS Admin Deletion Events (EventID 1 from VSS)..." -ForegroundColor Yellow
$vssEvents = Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='VSS'; ID=1; StartTime=(Get-Date).AddHours(-48)} -ErrorAction SilentlyContinue
if ($vssEvents) { $vssEvents | Select-Object TimeCreated, Message | Format-Table -Wrap } 
else { Write-Host "    No recent VSS deletion events found." -ForegroundColor Green }

# 2. Enumerate Scheduled Tasks created/modified in last 7 days (Persistence)
Write-Host "\n[*] Checking for Scheduled Tasks created/modified in last 7 days..." -ForegroundColor Yellow
$schTasks = Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddDays(-7) }
if ($schTasks) { 
    $schTasks | Select-Object TaskName, Date, Author, State | Format-Table -AutoSize 
    Write-Host "    WARNING: Review these tasks immediately." -ForegroundColor Red
} 
else { Write-Host "    No suspicious recent tasks found." -ForegroundColor Green }

# 3. Check for PowerShell process spawning with encoded commands
Write-Host "\n[*] Hunting for Encoded PowerShell commands..." -ForegroundColor Yellow
$proc = Get-CimInstance Win32_Process -Filter "Name='powershell.exe'" | Where-Object { $_.CreationDate -gt (Get-Date).AddHours(-24) }
if ($proc) {
    foreach ($p in $proc) {
        if ($p.CommandLine -match "-enc" -or $p.CommandLine -match "-encodedcommand") {
            Write-Host "    ALERT: Encoded PowerShell detected PID $($p.ProcessId)" -ForegroundColor Red
            Write-Host "    Command: $($p.CommandLine)"
        }
    }
} else { Write-Host "    No suspicious PowerShell activity." -ForegroundColor Green }

Write-Host "\n[+] Hunt Complete." -ForegroundColor Cyan


---

Incident Response Priorities

T-Minus Detection Checklist

  • ScreenConnect Logs: Immediate review of ConnectWise ScreenConnect logs for PanelServices.asmx requests or unusual file access on 2026-05-26 to 2026-05-29.
  • Cisco FMC Audits: Scrutinize administrative logs on firewall management centers for deserialization errors or unauthorized configuration changes.
  • Exchange IIS Logs: Hunt for POST requests to /EWS/Exchange.asmx containing long, serialized data payloads (Base64 encoded).

Critical Assets for Exfiltration

DRAGONFORCE historically prioritizes:

  1. Customer Databases/CRM: PII for leverage.
  2. Financial Records: 2024/2025 Tax returns, payroll data.
  3. CAD/Engineering Files: High value for Manufacturing victims (Intellectual Property).

Containment Actions

  1. Isolate: Disconnect VPN concentrators and RMM servers from the internet immediately if unpatched.
  2. Reset: Revoke credentials for all privileged accounts that have logged into Exchange or ScreenConnect during the breach window.
  3. Block: Sinkhole or block outbound traffic to known DRAGONFORCE TOR nodes and file-sharing sites (Mega, TransferNow).

Hardening Recommendations

Immediate (24 Hours)

  • Patch CISA KEVs: Emergency patching for CVE-2024-1708 (ScreenConnect), CVE-2026-20131 (Cisco FMC), and CVE-2025-52691 (SmarterMail).
  • Internet-Facing Hygiene: Disable internet access for RMM interfaces where possible; enforce strict IP whitelisting.
  • MFA Enforcement: Ensure phishing-resistant MFA (FIDO2) is active on all VPN and Email admin consoles.

Short-Term (2 Weeks)

  • Network Segmentation: Segment OT (Operational Technology) and Manufacturing networks from IT admin networks to prevent lateral movement from compromised workstations to industrial controllers.
  • EDR Coverage: Verify 100% EDR coverage on servers holding Exchange, SmarterMail, and File data. Deploy specific detection rules for "Living off the Land" binaries (LOLBins) like vssadmin.exe.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangdragonforceransomwaremanufacturingcisa-kevinitial-accesssupply-chain

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action