Back to Intelligence

DRAGONFORCE Ransomware: Critical Campaign Targeting Healthcare & Business Services

SA
Security Arsenal Team
April 17, 2026
6 min read

Threat Level: CRITICAL Last Updated: 2026-04-18 Source: Dark Web Leak Site Monitoring / Ransomware.live

Threat Actor Profile — DRAGONFORCE

  • Affiliation & Model: DRAGONFORCE operates as a Ransomware-as-a-Service (RaaS) entity. While they initially emerged with a closed-group ethos, recent infrastructure suggests a shift toward an affiliate-driven model to scale operations.
  • Ransom Demands: Demands vary significantly based on victim revenue, typically ranging from $500,000 to $5 million. They strictly enforce a "name-and-shame" double extortion strategy, threatening to leak sensitive PHI and client data if negotiations fail.
  • Initial Access Vectors: Historically reliant on phishing, this campaign pivots aggressively toward perimeter exploits. Current IOCs suggest a heavy preference for exploiting unpatched edge services (Mail servers, Firewall Management Centers) and VPN vulnerabilities.
  • Dwell Time: Average observed dwell time is 3–5 days. The group moves rapidly from initial access to data exfiltration to minimize detection opportunities.

Current Campaign Analysis

Victimology & Targeting

Analysis of the 17 victims posted between 2026-04-14 and 2026-04-17 reveals a distinct shift in focus.

  • High-Priority Sectors:

    • Healthcare (23.5%): medicalnetworks CJ GmbH (DE), bela - pharm (DE). The focus on German healthcare entities suggests a specific regional playbook targeting protected health information (PHI).
    • Business Services (35%): Empower Group, Curtis Design Group, tulsachamber.com (US), imadesign.com (US). These entities often possess access to larger supply chains.
    • Industrial/Manufacturing: breslinbuilders.com, ppiplastics.com (GB), tremcar.com (CA).

  • Geographic Concentration:

    • Germany (DE): High density of hits, particularly in Healthcare.
    • United States (US): Significant activity in Business Services and Technology (advprograms.com).
    • Secondary Targets: United Kingdom (GB), Brazil (BR), Canada (CA).

  • TTP Correlation with CVEs: The rapid exploitation of CVE-2026-23760 (SmarterTools SmarterMail) is the likely primary vector for the Business Services and Healthcare victims. Email servers are often exposed externally and contain the exact credentials and sensitive data DRAGONFORCE exfiltrates. Additionally, CVE-2026-20131 (Cisco Secure Firewall FMC) is suspected in lateral movement bypasses for the Technology and Logistics sectors, allowing the gang to disable security controls before detonation.

Detection Engineering

Sigma Rules

YAML
title: Potential SmarterMail Authentication Bypass Exploit (CVE-2026-23760)
id: c7a9b8d1-3f4e-4a5c-9b1d-0e2f3a4b5c6d
description: Detects potential exploitation of SmarterMail authentication bypass vulnerability via suspicious URL patterns or authentication anomalies.
status: experimental
date: 2026/04/18
author: Security Arsenal Research
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: webserver
detection:
    selection:
        cs-uri-query|contains:
            - '/Services/MailBox.asmx'
            - '/Runtime/Execute'
    filter:
        cs-method|contains: 'POST'
        sc-status: 200
    condition: selection and filter
falsepositives:
    - Legitimate administrative access to SmarterMail
level: critical
tags:
    - attack.initial_access
    - cve.2026.23760
    - dragonforce
---
title: Cisco FMC Deserialization Exploit Attempt (CVE-2026-20131)
id: d8e0c9e2-4g5f-5b6d-0c2e1f3a4b5c6d
description: Detects suspicious deserialization activity or API calls to Cisco FMC indicative of CVE-2026-20131 exploitation.
status: experimental
date: 2026/04/18
author: Security Arsenal Research
logsource:
    product: cisco
detection:
    selection:
        message|contains:
            - 'java.io.ObjectInputStream'
            - 'Apache Commons Collections'
            - 'Caused by: java.lang.ClassNotFoundException'
    condition: selection
falsepositives:
    - Java application errors unrelated to exploit
level: high
tags:
    - attack.defense_evasion
    - cve.2026.20131
    - dragonforce
---
title: DragonForce Typical Ransomware Pre-Encryption Activity
id: e9f1d0e3-5h6g-6c7e-1d3f2g4h5i6j7k
description: Detects patterns consistent with DragonForce prep, including mass file copying using rclone or robocopy and VSS shadow copy deletion via vssadmin.
status: experimental
date: 2026/04/18
author: Security Arsenal Research
logsource:
    category: process_creation
detection:
    selection_tools:
        Image|endswith:
            - '\rclone.exe'
            - '\robocopy.exe'
    selection_vss:
        CommandLine|contains:
            - 'vssadmin delete shadows'
            - 'wmic shadowcopy delete'
    condition: 1 of selection*
falsepositives:
    - Legitimate backup operations (check context)
level: high
tags:
    - attack.impact
    - attack.t1490
    - dragonforce

KQL Hunt Query (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for DragonForce lateral movement and staging
// Looks for unusual network connections and powershell encoding
let TimeFrame = 1d;
DeviceNetworkEvents
| where Timestamp > ago(TimeFrame)
| where RemotePort in (445, 3389, 5985, 5986) or RemotePort >= 40000 and RemotePort <= 49999 // Common SMB/RDP/WinRM and dynamic RPC ports
| where InitiatingProcessFileName =~ "powershell.exe" or InitiatingProcessFileName =~ "wmiapsrv.exe"
| summarize Count = count(), RemoteIPs = make_set(RemoteIP) by DeviceName, InitiatingProcessCommandLine
| where Count > 10 // Threshold for suspicious frequency
| project-away Count
| join kind=inner (
    DeviceProcessEvents 
    | where Timestamp > ago(TimeFrame) 
    | where FileName in-("vssadmin.exe", "wbadmin.exe", "bcdedit.exe") // Pre-encryption checks
) on DeviceName

Rapid Response Script (PowerShell)

PowerShell
<#
.SYNOPSIS
    DragonForce Indicator Hunter - Checks for signs of staging and persistence.
.DESCRIPTION
    Scans for recent scheduled tasks, unusual processes, and VSS shadow copy status.
#>

function Invoke-DragonForceCheck {
    Write-Host "[+] Checking for DragonForce Indicators..." -ForegroundColor Cyan

    # 1. Check for recently created Scheduled Tasks (Persistence)
    $schTasks = Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddDays(-7) }
    if ($schTasks) {
        Write-Host "[!] WARNING: Scheduled tasks created in the last 7 days:" -ForegroundColor Red
        $schTasks | Select-Object TaskName, Date, Author | Format-Table
    } else {
        Write-Host "[-] No suspicious recent scheduled tasks found." -ForegroundColor Green
    }

    # 2. Check for Shadow Copy Deletion Attempts (Impact)
    $vssEvents = Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='VSS'; ID=12343} -MaxEvents 5 -ErrorAction SilentlyContinue
    if ($vssEvents) {
        Write-Host "[!] WARNING: Recent Volume Shadow Copy deletion events found." -ForegroundColor Red
    }

    # 3. Check for Rclone or suspicious backup tools (Exfil/Stage)
    $procs = Get-Process -ErrorAction SilentlyContinue | Where-Object { $_.ProcessName -like "*rclone*" -or $_.ProcessName -like "*mimikatz*" }
    if ($procs) {
        Write-Host "[!] CRITICAL: Suspicious process running (rclone/mimikatz)!!!" -ForegroundColor Red
        $procs | Format-Table Id, ProcessName, Path
    }

    # 4. Check for SmarterMail anomalies (CVE-2026-23760)
    $iisLogs = Get-ChildItem "C:\inetpub\logs\LogFiles\*\*.log" -ErrorAction SilentlyContinue | 
        Select-String -Pattern "Services/MailBox.asmx" | Select-Object -Last 5
    if ($iisLogs) {
        Write-Host "[!] INFO: SmarterMail API activity detected in IIS logs." -ForegroundColor Yellow
    }
}

Invoke-DragonForceCheck


---

Incident Response Priorities

  1. T-Minus Detection Checklist:

    • Immediately scan logs for CVE-2026-23760 exploit attempts on mail servers (SmarterMail).
    • Look for java.exe spawning cmd.exe or powershell.exe (sign of deserialization exploit on Cisco FMC).
    • Hunt for vssadmin.exe execution logs—this is the "point of no return" before encryption.

  2. Critical Assets at Risk:

    • Email Servers: Often contain credentials for the entire network.
    • Backup Servers: DragonForce actively seeks out and deletes shadow copies.
    • Active Directory Controllers: Credential dumping is a core TTP.

  3. Containment Actions (Order of Urgency):

    • Isolate: Disconnect mail servers and firewall management interfaces from the internet immediately.
    • Suspend: Suspend active domain accounts showing anomalous logon times (especially non-US/DE logins).
    • Preserve: Capture a memory dump of the email server if compromised to extract the malware payload.

Hardening Recommendations

  • Immediate (24h):

    • Patch CVE-2026-23760 (SmarterMail) and CVE-2026-20131 (Cisco FMC) immediately. These are active, zero-day equivalent threats in the wild.
    • Disable internet-facing RDP and enforce VPN with MFA if not already in place.
    • Audit external facing email gateways for unauthorized access.

  • Short-term (2 weeks):

    • Implement network segmentation to separate management planes (FMC) from user networks.
    • Deploy EDR on all edge devices (mail gateways, VPN concentrators).
    • Review and restrict the "Local Administrators" group on critical servers.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangdragonforceransomwaresmartermailcisco-fmccve-2026-23760healthcare

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action