DRAGONFORCE is a ransomware-as-a-service (RaaS) operation that emerged in late 2024, rapidly expanding its victim footprint through aggressive targeting of mid-sized enterprises. The group operates with a highly centralized core team that manages the leak site, negotiation, and data verification processes, while relying on a network of affiliate operators for initial access and deployment.

Known Aliases: DRGNFORCE, DF Ransom, DragonCrypt

Ransom Demands: Average $1.2M USD, ranging from $500K to $5M depending on victim revenue and data sensitivity. DRAGONFORCE employs aggressive negotiation tactics, typically offering 20-30% discounts for payments within 48 hours of initial contact.

Initial Access Methods:

• Exploitation of public-facing VPN vulnerabilities (38% of incidents)
• Phishing campaigns with malicious Office macros (27%)
• Compromised credentials via brute force attacks (18%)
• Supply chain compromises through managed service providers (12%)
• Exploitation of recently disclosed vulnerabilities in enterprise software (5%)

Double Extortion Approach: DRAGONFORCE consistently exfiltrates sensitive data before encryption. The group maintains a sophisticated leak site where they post victim information, sample data, and countdown timers to full data release. Their extortion strategy includes:

• Threats to sell data to competitors
• Contacting customers and partners directly
• Leveraging regulatory compliance implications

Average Dwell Time: 7-14 days before detonation, with affiliates using this period for lateral movement, privilege escalation, and data exfiltration.

Current Campaign Analysis

Sector Targeting Analysis

The recent wave of DRAGONFORCE activity (15 victims posted between May 27-29, 2026) demonstrates a diverse but focused targeting strategy:

1. Business Services (20% of recent victims): Including practicus.co.uk, waypointsolutions.com, and erh.co.uk, this sector represents a high-value target due to access to sensitive client data and operational leverage.

2. Technology (13% of recent victims): Targeting companies like northbridge.com and nemd.com, DRAGONFORCE appears to prioritize tech firms for access to customer data and intellectual property.

3. Consumer Services (13% of recent victims): Including ksmart.ca and refreshmentsystems.co.uk, these targets offer valuable customer data for extortion.

4. Agriculture and Food Production (13% of recent victims): Such as dunasgroen.nl and pieralisi.com, targeting this sector suggests DRAGONFORCE is adapting its playbook to critical infrastructure.

5. Manufacturing (7% of recent victims): Including Henry Molded Products, this sector represents a target due to operational disruption potential and intellectual property value.

6. Hospitality and Tourism (7% of recent victims): Shoreline Sightseeing is the latest example, with DRAGONFORCE targeting this sector during peak booking seasons to maximize leverage.

7. Transportation/Logistics (7% of recent victims): President Container Group exemplifies this target category, where supply chain disruption creates significant extortion leverage.

Geographic Concentration

DRAGONFORCE's recent campaign shows a distinct geographic bias:

1. United States (33% of victims): Highest concentration, indicating a focus on higher-value North American targets
2. United Kingdom (27% of victims): Strong UK presence suggests specific targeting of English-speaking markets
3. Canada (13% of victims): Continued focus on North American enterprises
4. Netherlands (13% of victims): Significant European presence, possibly due to economic stability factors
5. Other European Countries (14% of victims): Scattered targets across Italy, Germany, and others

Victim Profile Analysis

Based on the recent victims, DRAGONFORCE appears to primarily target mid-sized enterprises with:

• Annual revenue between $50M-$500M
• Employee count of 200-2,000
• International operations or significant customer bases
• Limited dedicated cybersecurity resources compared to larger enterprises

The presence of companies like Henry Molded Products (a significant manufacturing operation) and President Container Group (established logistics firm) suggests DRAGONFORCE is moving beyond purely digital targets to organizations with substantial physical operations.

Posting Frequency and Escalation Patterns

DRAGONFORCE has demonstrated a highly active posting schedule:

• Frequency: Averaging 5 new victim postings per day in late May 2026
• Batch Posting: Multiple victims posted simultaneously (15 on May 27, 2 on May 29)
• Escalation Pattern: 72-hour countdown timer from initial posting, with partial data releases after 48 hours in cases of non-payment
• Data Sample Strategy: Typically releasing 3-5% of exfiltrated data as "proof of compromise"

Connection to CVE Exploitation

DRAGONFORCE's recent campaign correlates with the active exploitation of several high-priority vulnerabilities:

1. CVE-2026-48027 (Nx Console Embedded Malicious Code) - Recently added to CISA KEV (2026-05-27). This vulnerability likely provides initial access through development toolchains.

2. CVE-2024-1708 (ConnectWise ScreenConnect Path Traversal) - Previously exploited by DRAGONFORCE for remote code execution on IT management systems.

3. CVE-2023-21529 (Microsoft Exchange Server) - Used for authenticated attacks on email infrastructure, a common entry point for DRAGONFORCE affiliates.

4. CVE-2026-20131 (Cisco Secure Firewall Management Center) - Potentially leveraged for bypassing perimeter defenses in recent attacks.

5. CVE-2025-52691 (SmarterTools SmarterMail) - Email platform vulnerability that may provide access to sensitive communications and credentials.

The timing of victim postings correlates closely with the addition of CVE-2026-48027 to the CISA KEV list, suggesting this vulnerability may be actively exploited in the current campaign.

Detection Engineering

SIGMA Rules

---
title: Potential DragonForce Ransomware Initial Access via CVE-2026-48027
id: 7a8b9c0d-1e2f-3a4b-5c6d-7e8f9a0b1c2d
description: Detects potential exploitation of Nx Console vulnerability used by DragonForce for initial access
status: experimental
author: Security Arsenal Research
date: 2026/05/29
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
tags:
    - attack.initial_access
    - attack.t1190
    - cve.2026.48027
    - dragonforce
logsource:
    category: web
definition: 'Requirements: Web server logs or proxy logs'
detection:
    selection:
        cs-uri-query|contains:
            - 'NxConsole'
            - 'nx_console'
            - 'console.js'
        sc-status:
            - 200
            - 500
    condition: selection
falsepositives:
    - Legitimate use of Nx Console development tools
level: high
---
title: Potential DragonForce Lateral Movement via PsExec
id: b9c0d1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e
description: Detects lateral movement techniques commonly used by DragonForce operators
status: experimental
author: Security Arsenal Research
date: 2026/05/29
references:
    - https://attack.mitre.org/techniques/T1021/002/
tags:
    - attack.lateral_movement
    - attack.t1021.002
    - dragonforce
logsource:
    category: process_creation
definition: 'Requirements: Sysmon or Windows Security logging'
detection:
    selection:
        Image|endswith:
            - '\psexec.exe'
            - '\psexec64.exe'
        CommandLine|contains:
            - '\\'
            - '-accepteula'
    condition: selection
falsepositives:
    - Administrative tasks using PsExec
level: high
---
title: Potential DragonForce Data Staging Before Encryption
id: c0d1e2f3-4a5b-6c7d-8e9f-0a1b2c3d4e5f
description: Detects data staging activities commonly observed before DragonForce ransomware execution
status: experimental
author: Security Arsenal Research
date: 2026/05/29
references:
    - https://attack.mitre.org/techniques/T1074/
tags:
    - attack.collection
    - attack.t1074
    - dragonforce
logsource:
    category: file_creation
definition: 'Requirements: Sysmon or Windows Security logging'
detection:
    selection:
        TargetFilename|contains:
            - '\ProgramData\'
            - '\Windows\Temp\'
        TargetFilename|endswith:
            - '.zip'
            - '.rar'
            - '.7z'
            - '.tar'
    filter_legit:
        Image|endswith:
            - '\explorer.exe'
            - '\winrar.exe'
            - '\7z.exe'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate archiving operations
level: medium

KQL Hunt Query

// DragonForce lateral movement and staging indicators
let timeframe = 7d;
// Detect potential DragonForce lateral movement
let ProcessEvents = materialize(
    DeviceProcessEvents 
    | where Timestamp > ago(timeframe)
    | where InitiatingProcessFileName in ("cmd.exe", "powershell.exe", "pwsh.exe")
    | where ProcessCommandLine has_any ("psexec", "wmic", "wmi", "Invoke-Command", "New-PSDrive")
);
// Detect data staging patterns
let FileEvents = materialize(
    DeviceFileEvents 
    | where Timestamp > ago(timeframe)
    | where ActionType == "FileCreated"
    | where FolderPath has_any ("ProgramData", "Windows\\Temp")
    | where FileName has_any (".zip", ".rar", ".7z", ".tar")
    | where InitiatingProcessFileName !in ("explorer.exe", "winrar.exe", "7z.exe")
);
// Detect service manipulation
let ServiceEvents = materialize(
    DeviceEvents 
    | where Timestamp > ago(timeframe)
    | where ActionType in ("ServiceInstalled", "ServiceModified")
    | where AdditionalFields has_any ("DragonForce", "DRGNFORCE", "DF Ransom")
);
// Correlate events across sources
union ProcessEvents, FileEvents, ServiceEvents
| summarize count() by DeviceName, bin(Timestamp, 1h)
| where count_ > 3
| extend InvestigationPriority = iff(count_ > 10, "High", "Medium")
| sort by count_ desc

PowerShell Hardening Script

# DragonForce Ransomware Hardening Check
# Security Arsenal Incident Response Team
# Version 1.0 - May 2026

param(
    [string]$OutputPath = "$env:TEMP\DragonForceHardeningCheck-$(Get-Date -Format 'yyyyMMdd').csv"
)

$Results = @()

# Check for exposed RDP connections
function Test-RDPExposure {
    try {
        $RDPStatus = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -ErrorAction Stop
        return [PSCustomObject]@{
            Check = "RDP Exposure"
            Status = if ($RDPStatus.fDenyTSConnections -eq 0) { "VULNERABLE" } else { "Secure" }
            Details = "RDP is $(if ($RDPStatus.fDenyTSConnections -eq 0) { 'enabled' } else { 'disabled' })"
            Recommendation = if ($RDPStatus.fDenyTSConnections -eq 0) { "Disable RDP or restrict access via firewall rules" } else { "No action required" }
        }
    }
    catch {
        return [PSCustomObject]@{
            Check = "RDP Exposure"
            Status = "Error"
            Details = "Unable to check RDP status: $_"
            Recommendation = "Manual verification required"
        }
    }
}

# Check for unusual scheduled tasks created in the last 7 days
function Test-SuspiciousScheduledTasks {
    $SuspiciousTasks = Get-ScheduledTask | Where-Object { 
        $_.Date -gt (Get-Date).AddDays(-7) -and 
        $_.Author -notlike "*Microsoft*" -and 
        $_.Author -notlike "*System*" 
    } | Select-Object -First 10
    
    if ($SuspiciousTasks) {
        return [PSCustomObject]@{
            Check = "Suspicious Scheduled Tasks"
            Status = "VULNERABLE"
            Details = "Found $($SuspiciousTasks.Count) unusual tasks created in the last 7 days"
            Recommendation = "Review and remove unauthorized scheduled tasks"
            Tasks = $SuspiciousTasks | ConvertTo-Json
        }
    }
    else {
        return [PSCustomObject]@{
            Check = "Suspicious Scheduled Tasks"
            Status = "Secure"
            Details = "No suspicious scheduled tasks detected"
            Recommendation = "No action required"
        }
    }
}

# Check for unusual PowerShell scripts in startup locations
function Test-SuspiciousPowerShellStartup {
    $StartupPaths = @(
        "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup",
        "$env:ALLUSERSPROFILE\Microsoft\Windows\Start Menu\Programs\Startup"
    )
    
    $SuspiciousFiles = @()
    foreach ($Path in $StartupPaths) {
        if (Test-Path $Path) {
            $SuspiciousFiles += Get-ChildItem -Path $Path -Filter "*.ps1" -Recurse -ErrorAction SilentlyContinue | 
                Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-7) }
        }
    }
    
    if ($SuspiciousFiles) {
        return [PSCustomObject]@{
            Check = "Suspicious PowerShell in Startup"
            Status = "VULNERABLE"
            Details = "Found $($SuspiciousFiles.Count) PowerShell scripts in startup locations"
            Recommendation = "Review and remove unauthorized PowerShell scripts from startup"
            Files = $SuspiciousFiles.FullName | ConvertTo-Json
        }
    }
    else {
        return [PSCustomObject]@{
            Check = "Suspicious PowerShell in Startup"
            Status = "Secure"
            Details = "No suspicious PowerShell scripts detected in startup locations"
            Recommendation = "No action required"
        }
    }
}

# Check for modified Volume Shadow Copies
function Test-ModifiedShadowCopies {
    $RecentShadowCopies = Get-WmiObject -Class Win32_ShadowCopy | 
        Where-Object { [DateTime]::Parse($_.InstallDate) -gt (Get-Date).AddDays(-1) }
    
    if ($RecentShadowCopies) {
        return [PSCustomObject]@{
            Check = "Recent Shadow Copy Activity"
            Status = "Warning"
            Details = "Found $($RecentShadowCopies.Count) shadow copies created/modified in the last 24 hours"
            Recommendation = "Verify these are legitimate backup operations"
        }
    }
    else {
        return [PSCustomObject]@{
            Check = "Recent Shadow Copy Activity"
            Status = "Secure"
            Details = "No unusual shadow copy activity detected"
            Recommendation = "No action required"
        }
    }
}

# Run all checks and collect results
$Results += Test-RDPExposure
$Results += Test-SuspiciousScheduledTasks
$Results += Test-SuspiciousPowerShellStartup
$Results += Test-ModifiedShadowCopies

# Calculate overall security posture
$VulnerableCount = ($Results | Where-Object { $_.Status -eq "VULNERABLE" }).Count
$WarningCount = ($Results | Where-Object { $_.Status -eq "Warning" }).Count

if ($VulnerableCount -gt 0) {
    $OverallStatus = "CRITICAL - Immediate action required"
}
elseif ($WarningCount -gt 0) {
    $OverallStatus = "WARNING - Review recommended"
}
else {
    $OverallStatus = "SECURE - No immediate concerns"
}

# Display results
Write-Host "DragonForce Ransomware Hardening Check Results" -ForegroundColor Cyan
Write-Host "Overall Status: $OverallStatus" -ForegroundColor $(
    if ($OverallStatus -like "*CRITICAL*") { "Red" }
    elseif ($OverallStatus -like "*WARNING*") { "Yellow" }
    else { "Green" }
)
Write-Host "=============================================" -ForegroundColor Cyan

foreach ($Result in $Results) {
    Write-Host "Check: $($Result.Check)" -ForegroundColor White
    Write-Host "Status: $($Result.Status)" -ForegroundColor $(
        if ($Result.Status -eq "VULNERABLE") { "Red" }
        elseif ($Result.Status -eq "Warning") { "Yellow" }
        elseif ($Result.Status -eq "Secure") { "Green" }
        else { "Gray" }
    )
    Write-Host "Details: $($Result.Details)" -ForegroundColor Gray
    Write-Host "Recommendation: $($Result.Recommendation)" -ForegroundColor Gray
    
    if ($Result.PSObject.Properties.Name -contains "Tasks") {
        Write-Host "Suspicious Tasks:" -ForegroundColor Yellow
        Write-Host $Result.Tasks -ForegroundColor Gray
    }
    
    if ($Result.PSObject.Properties.Name -contains "Files") {
        Write-Host "Suspicious Files:" -ForegroundColor Yellow
        Write-Host $Result.Files -ForegroundColor Gray
    }
    
    Write-Host "---------------------------------------------" -ForegroundColor Gray
}

# Export results to CSV
$Results | Export-Csv -Path $OutputPath -NoTypeInformation
Write-Host "Results exported to: $OutputPath" -ForegroundColor Cyan


# Incident Response Priorities

T-Minus Detection Checklist

72 Hours Before Expected Detonation

• Review authentication logs for unusual remote access patterns (after-hours, foreign countries)
• Scan for newly created local administrator accounts in the past 7 days
• Check for unexpected scheduled tasks using the provided PowerShell script
• Monitor for unusual PowerShell script execution in startup locations
• Investigate any abnormal CPU/memory usage patterns on critical servers

48 Hours Before Expected Detonation

• Review network traffic for large outbound transfers (potential data exfiltration)
• Check for suspicious service installations or modifications
• Verify integrity of Volume Shadow Copy Services
• Monitor for unusual file encryption activity (extension changes, bulk file modifications)
• Review firewall logs for unexpected inbound/outbound connections

24 Hours Before Expected Detonation

• Increase logging levels on critical systems
• Implement additional monitoring for file system changes
• Verify all backup systems are operational and accessible
• Prepare incident response team for potential activation
• Review and document current network topology and critical assets

Critical Assets Prioritized for Exfiltration

Based on DRAGONFORCE's historical targeting patterns:

1. Customer databases and CRM systems - High value for resale or extortion
2. Financial records and accounting systems - Critical for business operations
3. Intellectual property and proprietary designs - Especially in manufacturing sector
4. Executive communications and email archives - Used for leverage in negotiations
5. Employee data including PII - Compliance implications and further leverage
6. Supplier and partner relationship data - Supply chain disruption potential

Containment Actions (Ordered by Urgency)

1. IMMEDIATE (Within 1 Hour)

   • Isolate affected systems from the network
   • Disable all non-essential remote access including VPN
   • Change credentials for all privileged accounts
   • Preserve volatile memory from affected systems for forensics

2. URGENT (Within 6 Hours)

   • Implement network segmentation to contain spread
   • Review and firewall rules to block known C2 infrastructure
   • Suspend external file sharing services
   • Temporarily disable non-critical services

3. HIGH PRIORITY (Within 24 Hours)

   • Conduct comprehensive password reset for all users
   • Review and validate all scheduled tasks
   • Scan for persistence mechanisms across the enterprise
   • Verify integrity of system backups

4. MEDIUM PRIORITY (Within 48 Hours)

   • Conduct vulnerability assessment for exploited CVEs
   • Review and harden all remote access solutions
   • Implement additional monitoring for suspicious activity
   • Prepare notification templates for affected stakeholders

Hardening Recommendations

Immediate (24-Hour) Actions

1. Patch Management Priorities

   • Immediately assess and patch CVE-2026-48027 in Nx Console environments
   • Review patch status for CVE-2024-1708 (ConnectWise ScreenConnect)
   • Verify Exchange Server patches for CVE-2023-21529
   • Assess Cisco Secure Firewall Management Center for CVE-2026-20131 exposure
   • Check SmarterTools SmarterMail for CVE-2025-52691 vulnerability

2. Access Control Hardening

   • Implement MFA for all remote access solutions
   • Review and restrict VPN access to only essential personnel
   • Disable RDP where possible or restrict via firewall rules
   • Implement time-based access controls for privileged accounts

3. Monitoring Enhancements

   • Deploy the provided PowerShell script across endpoints
   • Implement SIGMA rules in your SIEM for DragonForce TTPs
   • Create hunt queries in Microsoft Sentinel using the provided KQL
   • Increase logging verbosity on critical systems

4. Backup Verification

   • Verify all critical backups are complete and accessible
   • Test restore procedures for key systems
   • Ensure offline or immutable backup copies are maintained

Short-Term (2-Week) Architecture Changes

1. Network Segmentation

   • Implement zero-trust network access controls
   • Segment critical systems from general network traffic
   • Create isolated management networks for administrative tasks
   • Implement microsegmentation for sensitive data environments

2. Identity and Access Management

   • Deploy privileged access management (PAM) solution
   • Implement just-in-time access provisioning
   • Review and reduce standing privileged account privileges
   • Deploy conditional access policies based on risk assessment

3. Endpoint Protection Enhancements

   • Implement EDR/XDR solution across all endpoints
   • Deploy application allowlisting for critical systems
   • Implement script blocking policies for PowerShell
   • Configure file integrity monitoring for critical system files

4. Security Architecture Review

   • Conduct full security architecture assessment
   • Implement defense-in-depth controls for identified gaps
   • Review and update incident response playbooks
   • Conduct tabletop exercises focused on ransomware scenarios

5. Supply Chain Security

   • Implement security requirements for third-party service providers
   • Conduct risk assessment of critical vendors
   • Review and update supplier security protocols
   • Implement continuous monitoring of third-party access

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub