Back to Intelligence

DRAGONFORCE Ransomware: Aggressive Campaign Targeting SMBs via SmarterMail & ScreenConnect Exploits

SA
Security Arsenal Team
May 26, 2026
6 min read

Date: 2026-05-26
Source: Ransomware.live / Dark Web Leak Site Monitoring

Threat Actor Profile — DRAGONFORCE

  • Affiliation Model: Operating as a Ransomware-as-a-Service (RaaS) platform with high-affiliate turnover. DRAGONFORCE provides a customized locker based on leaked LockBit/BlackCat source code but maintains distinct infrastructure.
  • Ransom Demands: Typically ranges from $300,000 to $2 million USD, heavily influenced by the victim's annual revenue and cyber insurance coverage status.
  • Initial Access Vectors: Historically favors phishing, but recent intelligence confirms a pivot toward exploiting internet-facing appliances. The current campaign leverages specific vulnerabilities in remote management software (ConnectWise ScreenConnect) and email collaboration servers (SmarterTools SmarterMail).
  • Extortion Strategy: Standard "double extortion" model. Victims have 48-72 hours to negotiate before data is leaked. DRAGONFORCE maintains a dedicated "Wall of Shame" with high-resolution screenshots of stolen financial documents and employee PII.
  • Dwell Time: Short averaging 3–5 days from initial exploit to encryption. This suggests the use of automated post-exploitation frameworks (e.g., Cobalt Strike Beacons) for rapid lateral movement.

Current Campaign Analysis

Campaign Overview:
DRAGONFORCE has posted 16 new victims between 2026-05-24 and 2026-05-25, indicating a high-velocity operation likely coordinated by a specific affiliate subgroup targeting opportunistic vulnerabilities.

Sector Targeting:

  • Business Services: 37.5% of recent victims (e.g., businessrecord.com, ggroupcpas.com). These targets are prime candidates for data exfiltration due to the sensitive client data they hold.
  • Agriculture and Food Production: 12.5% (e.g., vegfresh.com, Heartland Growers). This sector remains soft-targeted due to lower maturity in legacy OT/IoT security.
  • Geographic Concentration: 43.75% US-based, followed by significant activity in the UK and DACH region (Germany/Netherlands).

Victim Profile:
The victimology suggests a focus on Small-to-Mid-sized Enterprises (SMEs). Domains analyzed correspond to organizations with 50–500 employees. These entities often lack dedicated 24/7 SOC monitoring, allowing the dwell time to go unnoticed.

Observed TTPs & CVE Association:
The timing of these postings correlates directly with the addition of critical CVEs to the CISA Known Exploited Vulnerabilities (KEV) catalog in early 2026. We assess with high confidence that the following vulnerabilities are the primary initial access vectors for this surge:

  1. CVE-2024-1708 (ConnectWise ScreenConnect): Used to breach managed service providers (MSPs) or internal IT teams. Victims like ggroupcpas.com (Accounting) likely manage client systems via ScreenConnect, making this a "supply chain" style entry point.
  2. CVE-2025-52691 & CVE-2026-23760 (SmarterMail): These authentication bypass and file upload vulnerabilities allow threat actors to gain webshell access on email servers. Given the high percentage of Business Services victims, exploitation of hosted email infrastructure is a probable entry vector.

Detection Engineering

Sigma Rules

YAML
---
title: Potential ScreenConnect Authentication Bypass (CVE-2024-1708)
id: 2026052601
description: Detects potential exploitation of ConnectWise ScreenConnect path traversal vulnerability observed in DRAGONFORCE initial access.
status: experimental
date: 2026/05/26
author: Security Arsenal
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: web
product: apache
filter:
    c-uri|contains: '/FlashService/service?'
    c-uri|contains: 'Data='
    cs-method: 'POST'
detection:
    selection:
        cs-user-agent|contains: 'ScreenConnect'
    condition: selection
falsepositives:
    - Legitimate ScreenConnect administrative access
level: critical
---
title: SmarterMail Webshell Upload Activity (CVE-2025-52691)
id: 2026052602
description: Detects suspicious file upload patterns to SmarterMail servers indicative of webshell deployment.
status: experimental
date: 2026/05/26
author: Security Arsenal
logsource:
    category: web
product: iis
detection:
    selection:
        cs-uri-stem|contains:
            - '/aspx/'
            - '/Services/'
        cs-uri-query|contains: '.aspx'
        cs-method: 'POST'
    filter:
        cs-uri-query|contains: 'login.aspx' # Exclude standard logins
    condition: selection and not filter
falsepositives:
    - Legitimate administrative file management
level: high
---
title: DRAGONFORCE Pre-Encryption Shadow Copy Deletion
id: 2026052603
description: Detects commands used to delete Volume Shadow Copies via vssadmin or diskshadow, common in DRAGONFORCE playbook pre-encryption.
status: experimental
date: 2026/05/26
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\vssadmin.exe'
            - '\diskshadow.exe'
        CommandLine|contains: 'delete shadows'
    condition: selection
falsepositives:
    - System administration tasks
level: critical

KQL Hunt Query (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for DRAGONFORCE lateral movement and staging
// Focuses on w3wp.exe (SmarterMail/Exchange) spawning cmd/ps and unusual RDP activity
DeviceProcessEvents
| where Timestamp > ago(7d)
| where (InitiatingProcessFileName == "w3wp.exe" and (ProcessCommandLine contains "powershell" or ProcessCommandLine contains "cmd.exe" or ProcessCommandLine contains "whoami"))
   or (ProcessCommandLine contains "psexec" and ProcessCommandLine contains "-accepteula")
   or (FileName == "vssadmin.exe" and ProcessCommandLine contains "delete")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, FolderPath
| order by Timestamp desc

Rapid Response PowerShell Script

PowerShell
# DRAGONFORCE Response Script: Audit Shadow Copy Status & Scheduled Tasks
# Run with elevated privileges
Write-Host "[+] Checking for recent VSS Shadow Copy deletions..." -ForegroundColor Yellow
$Events = Get-WinEvent -LogName 'Microsoft-Windows-VSS/Operational' -MaxEvents 100 -ErrorAction SilentlyContinue | Where-Object {$_.Message -like '*delete*' -or $_.Message -like '*abort*'}
if ($Events) { $Events | Select-Object TimeCreated, Message } else { Write-Host "No recent deletion events found." }

Write-Host "[+] Enumerating Scheduled Tasks created in the last 7 days (Persistence check)..." -ForegroundColor Yellow
$DateCutoff = (Get-Date).AddDays(-7)
Get-ScheduledTask | Where-Object { $_.Date -ge $DateCutoff } | Select-Object TaskName, TaskPath, Date, Author

Write-Host "[+] Checking for SmarterMail/Exchange IIS Worker Process anomalies..." -ForegroundColor Yellow
$Procs = Get-WmiObject Win32_Process | Where-Object { $_.Name -eq "w3wp.exe" -and $_.CommandLine -like "*SmarterMail*" }
if ($Procs) { Write-Host "ALERT: SmarterMail processes detected. Inspect parent/child relationships manually." -ForegroundColor Red }


---

Incident Response Priorities

T-Minus Detection Checklist:

  1. Web Server Logs: Immediate review of IIS logs for vegfresh.com, businessrecord.com styles. Look for POST requests to non-standard endpoints ending in .aspx or .ashx on SmarterMail servers.
  2. RMM Logs: Scrutinize ConnectWise ScreenConnect logs for successful logins from anomalous geo-locations (specifically checks for Data= path traversal strings).
  3. Active Sessions: Audit current RDP and VPN sessions. DRAGONFORCE maintains persistence via valid credentials dumped via LSASS memory dumping.

Critical Assets for Exfiltration:

  • Financial databases (Accounting firms like ggroupcpas.com are hit for W-2s and tax returns).
  • Executive Email archives.
  • CAD/Engineering schematics (Construction/Manufacturing targets).

Containment Actions (Order of Urgency):

  1. Isolate: Disconnect email servers (SmarterMail) and remote access gateways (ScreenConnect) from the network immediately if patches are not verified.
  2. Credential Reset: Force reset of Domain Admin credentials and service accounts used on the identified vulnerable appliances.
  3. Block: Implement network firewall rules to block inbound traffic to SmarterMail and ScreenConnect management ports from non-whitelisted IPs.

Hardening Recommendations

Immediate (24 Hours):

  • Patch Management: Apply patches for CVE-2024-1708 (ScreenConnect), CVE-2025-52691, and CVE-2026-23760 (SmarterMail) immediately. These are actively being weaponized.
  • Access Control: Disable external internet access to ScreenConnect web interfaces. Enforce VPN tunneling for all RMM administrative access.

Short-Term (2 Weeks):

  • Network Segmentation: Move Email and RMM infrastructure into a dedicated management VLAN with strict egress filtering. Prevent lateral movement from the web server tier to the domain controller tier.
  • MFA Enforcement: Enable FIDO2 hardware keys or phishing-resistant MFA for all remote access solutions. DRAGONFORCE affiliates frequently bypass TOTP via interception.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangdragonforceransomwaresmartermailcve-2024-1708cve-2025-52691business-services

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action