Back to Intelligence

DRAGONFORCE Ransomware Gang: 17 New Victims Posted — Healthcare & Business Services Under Siege

SA
Security Arsenal Team
April 18, 2026
6 min read

Aliases: None confirmed (Operations strictly under DRAGONFORCE branding) Operational Model: Ransomware-as-a-Service (RaaS). The group operates with a high degree of affiliate automation, evidenced by the rapid cadence of victim postings. Typical Ransom Demands: $300,000 – $2,000,000 USD. Demands scale aggressively based on victim revenue and the sensitivity of exfiltrated data. Initial Access Vectors: DRAGONFORCE affiliates specialize in exploiting internet-facing perimeter appliances rather than traditional phishing. Current intelligence confirms active exploitation of:

  • Firewall Management Consoles (Cisco FMC)
  • Email Gateways (SmarterMail)
  • VPN/Access Gateways (Citrix NetScaler, Fortinet)
  • Web Application Frameworks (Meta React) Double Extortion: Standard practice. Data is staged and exfiltrated to cloud storage (often via RClone) before encryption begins. Leak site timers are typically set to 3-5 days. Dwell Time: Short (3-7 days). The group moves rapidly from initial exploit to data staging to encryption.

Current Campaign Analysis

Campaign Period: 2026-04-14 to 2026-04-17 Total Victims: 17 (Recent postings)

Sector Targeting

The current campaign demonstrates a "spray and pray" approach targeting critical mid-market verticals:

  1. Healthcare (High Priority): Attacks against medicalnetworks CJ GmbH & Co. KG and bela - pharm in Germany suggest a specific focus on the DACH region's healthcare sector, likely exploiting unpatched perimeter email or VPN infrastructure.
  2. Business Services: A significant cluster of victims (Empower Group, Curtis Design Group, tulsachamber.com) indicates these affiliates are targeting managed service providers (MSPs) and professional associations for supply chain leverage.
  3. Industrial & Logistics: breslinbuilders.com (Construction), ppiplastics.com (Manufacturing), and tremcar.com (Transportation) suggest a pivot toward operational technology adjacent sectors.

Geographic Distribution

  • Germany (DE): Primary focus in the Healthcare sector.
  • United States (US): Heavily targeted in Business Services and Technology.
  • Others: UK, Brazil, Canada.

CVE Correlation & Attack Path

The victimology strongly correlates with the CISA KEV list provided:

  • CVE-2026-20131 (Cisco FMC): Likely the vector for the Technology and larger Business Services victims, allowing deep network access.
  • CVE-2026-23760 (SmarterMail): Almost certainly used against the Healthcare and Business Services victims to access email stores and internal credentials.
  • CVE-2025-5777 (Citrix NetScaler) / CVE-2019-6693 (Fortinet): Exploited for initial remote access into networks with exposed VPN interfaces.

Detection Engineering

SIGMA Rules

YAML
---
title: Potential Cisco FMC Deserialization Exploitation
id: 8c2f1d4e-5a6b-4c8d-9e0f-1a2b3c4d5e6f
status: experimental
description: Detects potential exploitation of CVE-2026-20131 in Cisco Secure Firewall Management Center via suspicious shell processes spawned by the Java backend.
author: Security Arsenal Research
date: 2026/04/18
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        ParentImage|contains: '/opt/CiscoSecureFirewall/'
        Image|endswith:
            - '/bin/sh'
            - '/bin/bash'
    condition: selection
falsepositives:
    - Administrative maintenance
level: high
---
title: SmarterMail Authentication Bypass Attempt
id: 7b1e2d3f-4c5a-6b7d-8e9f-0a1b2c3d4e5f
status: experimental
description: Detects indicators of CVE-2026-23760 exploitation on SmarterMail servers, focusing on anomalous file access paths.
author: Security Arsenal Research
date: 2026/04/18
logsource:
    category: webserver
    product: windows
detection:
    selection:
        cs-uri-stem|contains: 'Mail.aspx'
        cs-method: 'POST'
        cs-uri-query|contains: 'password'
    filter:
        cs-user-agent|contains: 'Mozilla'
    condition: selection and not filter
falsepositives:
    - Legitimate user logins
level: medium
---
title: Ransomware Data Staging via RClone
id: 6a0d1c2e-3b4a-5c6d-7e8f-9a0b1c2d3e4f
status: experimental
description: Detects usage of RClone or similar CLI tools for mass data exfiltration, a common tactic in DRAGONFORCE double extortion.
author: Security Arsenal Research
date: 2026/04/18
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\rclone.exe'
            - '\winscp.exe'
        CommandLine|contains:
            - 'sync'
            - 'copy'
            - 's3:'
    condition: selection
falsepositives:
    - Legitimate backup operations
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for lateral movement and credential dumping associated with DRAGONFORCE
let TimeFrame = ago(7d);
DeviceProcessEvents
| where Timestamp >= TimeFrame
| where (FileName in~ ('cmd.exe', 'powershell.exe', 'pwsh.exe') or
         InitiatingProcessFileName in~ ('cmd.exe', 'powershell.exe', 'pwsh.exe'))
| where ProcessCommandLine has any('net user', 'net group', 'whoami', 'mimikatz', 'procdump')
| summarize count() by DeviceName, AccountName, ProcessCommandLine, Timestamp
| extend AlertTime = now()

PowerShell Response Script

PowerShell
<#
.SYNOPSIS
    Rapid Response Script for DRAGONFORCE Indicators
.DESCRIPTION
    Checks for suspicious scheduled tasks, recent Volume Shadow Copy manipulation, and unusual RDP connections.
#>

Write-Host "[*] Starting DRAGONFORCE Rapid Response Check..." -ForegroundColor Cyan

# 1. Check for Scheduled Tasks created in last 7 days (Persistence)
Write-Host "[+] Checking for recently created Scheduled Tasks..." -ForegroundColor Yellow
Get-ScheduledTask | Where-Object {
    $_.Date -ge (Get-Date).AddDays(-7)
} | Select-Object TaskName, Date, Author, TaskPath | Format-Table -AutoSize

# 2. Check for VSSAdmin usage (Ransomware Defense Evasion)
Write-Host "[+] Checking for Volume Shadow Copy Manipulation..." -ForegroundColor Yellow
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4663; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue
if ($Events) {
    $Events | Where-Object {$_.Message -like '*vssadmin*' -or $_.Message -like '*delete*'} | Select-Object TimeCreated, Message | Format-List
} else {
    Write-Host "No recent VSS admin events found or log access denied." -ForegroundColor Gray
}

# 3. Check for Network Connections to non-standard ports (C2)
Write-Host "[+] Checking for established connections on high ports..." -ForegroundColor Yellow
Get-NetTCPConnection -State Established | Where-Object {$_.RemotePort -gt 1024 -and $_.RemotePort -ne 443} | 
    Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, OwningProcess | Format-Table -AutoSize

Write-Host "[*] Scan Complete. Review output for anomalies." -ForegroundColor Green


---

# Incident Response Priorities

T-Minus Detection Checklist

  1. Perimeter Appliance Logs: Immediately review logs for Cisco FMC, Citrix NetScaler, and Fortinet devices for IOCs related to CVE-2026-20131 and CVE-2025-5777.
  2. Web Server Access: Check SmarterMail and IIS/Apache logs for authentication bypass attempts (unusual user agents or direct path access).
  3. Process Anomalies: Hunt for rclone.exe or powershell.exe spawning from unexpected parent processes.

Critical Asset Prioritization

DRAGONFORCE historically targets:

  • Active Directory: Credential dumping for lateral movement.
  • Patient Records (PII): In Healthcare victims for high-leverage extortion.
  • Financial Systems: Quick-win data for negotiation leverage.

Containment Actions (Urgency Order)

  1. Isolate: Disconnect compromised VPN appliances and edge firewalls from the network core.
  2. Suspend: Disable external email access (OWA/EAS) if SmarterMail is suspected compromised.
  3. Revoke: Reset credentials for privileged accounts that logged into the affected perimeter devices within the last 30 days.

Hardening Recommendations

Immediate (24 Hours)

  • Patch Management: Apply patches for CVE-2026-20131 (Cisco FMC), CVE-2026-23760 (SmarterMail), and CVE-2025-5777 (Citrix). These are confirmed active exploits.
  • Access Control: Enforce MFA on all management interfaces for firewalls and email gateways.
  • Network Segmentation: Ensure management planes for security appliances are not reachable from the internet or internal user VLANs without jump-host access.

Short-term (2 Weeks)

  • Zero Trust Architecture: Implement strict least-privilege access for edge services. Remove local admin rights from service accounts on mail gateways.
  • EDR Coverage: Ensure EDR agents are deployed on all edge servers (mail/web/VPN) to detect process execution resulting from deserialization vulnerabilities.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangdragonforceransomwarehealthcarecisa-kevcisco-fmccitrix-netscaler

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action