Back to Intelligence

DRAGONFORCE Ransomware: Global Campaign Targets Logistics & Tech via Critical Firewall & Mail Vulnerabilities

SA
Security Arsenal Team
May 27, 2026
6 min read

Date: 2026-05-27
Analyst: Security Arsenal Threat Intelligence Unit
Source: Ransomware.live / Dark Web Leak Site Telemetry

Threat Actor Profile — DRAGONFORCE

DRAGONFORCE is an aggressive Ransomware-as-a-Service (RaaS) operation known for high-volume postings and indiscriminate targeting of mid-market enterprises. Unlike closed groups, DRAGONFORCE operates on an affiliate model, rapidly pivoting to newly disclosed Critical Infrastructure vulnerabilities.

  • Affiliation Model: RaaS (High affiliate throughput).
  • Ransom Demands: Typically $500k - $5M USD, dictated by victim revenue and insurance coverage.
  • Initial Access: Heavily reliant on exploitation of internet-facing appliances (VPNs, Firewalls, Mail Servers) and remote management tools (ScreenConnect). Minimal reliance on phishing compared to legacy gangs.
  • TTPs: Double extortion standard; exfiltration occurs via rclone or custom FTP scripts prior to encryption. Dwell time is short (24-72 hours from access to encryption).

Current Campaign Analysis

Based on the last 100 postings and the 15 victims published on 2026-05-27, DRAGONFORCE is executing a broad-spectrum campaign with specific leverage on service providers and logistics.

Targeted Sectors

The current batch shows a distinct pivot towards Transportation/Logistics (2 victims), Technology (3 victims), and Business Services (3 victims). However, the threat is cross-sector, with significant hits in Agriculture and Healthcare.

Geographic Concentration

United Kingdom (GB) is the primary epicenter in this wave (5 victims), followed by North America (US/CA) (5 victims). European targets (NL, DE, IT, NE) comprise the remaining volume.

Victim Profile

  • Revenue Range: $10M - $500M USD.
  • Analysis: The inclusion of President Container Group (Logistics) and Pieralisi (Agriculture) suggests DRAGONFORCE is targeting organizations with complex supply chains and low tolerance for downtime, maximizing ransom payment probability.

Exploited Vulnerabilities (The 'How')

This campaign is clearly fueled by the exploitation of CISA KEV-listed vulnerabilities:

  1. ConnectWise ScreenConnect (CVE-2024-1708): A primary vector for initial access in managed service environments (explaining the Business Services victim count).
  2. SmarterTools SmarterMail (CVE-2025-52691 / CVE-2026-23760): The high frequency of Technology and Service provider victims suggests email server exploitation for credential harvesting and initial access.
  3. Cisco Secure Firewall FMC (CVE-2026-20131): Critical for perimeter bypass.

Detection Engineering

SIGMA Rules

YAML
title: Potential ScreenConnect Path Traversal Exploit (CVE-2024-1708)
id: 6f3a1a2a-5d3b-4e3c-9a1f-1b2c3d4e5f6a
status: experimental
description: Detects potential path traversal attempts targeting ConnectWise ScreenConnect vulnerability CVE-2024-1708.
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal
logsource:
    category: web
detection:
    selection:
        cs-uri-query|contains:
            - '..%2f'
            - '..\\'
            - 'SetupCache'
        c-uri|contains: '/Login.aspx'
    condition: selection
falsepositives:
    - Unknown
level: critical
---
title: SmarterMail Suspicious File Upload or Auth Bypass
id: 7a4b2b3b-6e4c-5f4d-0b2c-2c3d4e5f6a7b
status: experimental
description: Detects potential exploitation of SmarterMail vulnerabilities CVE-2025-52691 or CVE-2026-23760 via unusual file uploads or authentication methods.
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal
logsource:
    category: web
detection:
    selection_uri:
        c-uri|contains:
            - '/Services/Mail.asmx'
            - '/Migrate/default.aspx'
    selection_methods:
        cs-method: POST
    selection_ext:
        cs-uri-query|contains:
            - '.aspx'
            - '.ashx'
    filter:
        cs-user-agent|contains: 'Mozilla'
    condition: selection_uri and selection_methods and selection_ext and not filter
falsepositives:
    - Legitimate administrative migrations
level: high
---
title: Potential Ransomware Lateral Movement via PsExec
id: 8c5c3c4c-7f5d-0g5e-1c3d-3d4e5f6a7b8c
status: experimental
description: Detects the use of PsExec for lateral movement, often used by ransomware gangs including DRAGONFORCE for propagation.
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\psexec.exe'
        - OriginalFileName: 'psexec.exe'
    selection_cli:
        CommandLine|contains:
            - '-accepteula'
            - '\\'
    condition: selection_img and selection_cli
falsepositives:
    - Administrative IT tasks
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for lateral movement and data staging associated with DragonForce
// Looks for mass file copying or unusual SMB access followed by encryption processes
let ProcessCreationEvents = Materialize(
    DeviceProcessEvents 
    | where Timestamp > ago(7d)
);
ProcessCreationEvents
| where FileName in~ ("powershell.exe", "cmd.exe", "robocopy.exe", "rclone.exe", "vssadmin.exe")
| extend ProcessCommand = ProcessCommandLine 
| where ProcessCommand has "delete" 
    or ProcessCommand has "shadow" 
    or ProcessCommand has "copy" 
    or ProcessCommand has "smb" 
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommand, InitiatingProcessFileName
| join kind=leftanti (
    DeviceProcessEvents 
    | where FileName in~ ("msmpeng.exe", "sense.exe") // Common AV exclusions
) on DeviceName, Timestamp
| distinct Timestamp, DeviceName, AccountName, FileName, ProcessCommand
| order by Timestamp desc

PowerShell - Rapid Response Hardening

PowerShell
# DragonForce Rapid Response Audit
# Checks for exposed RDP, unusual scheduled tasks, and VSS manipulation

Write-Host "[+] DRAGONFORCE THREAT HUNT - $(Get-Date)" -ForegroundColor Cyan

# 1. Check for Scheduled Tasks created in last 7 days (Common Persistence)
Write-Host "\n[*] Checking for Scheduled Tasks created in last 7 days..." -ForegroundColor Yellow
$schTasks = Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddDays(-7)}
if ($schTasks) {
    foreach ($task in $schTasks) {
        Write-Host "[!] SUSPICIOUS TASK FOUND: $($task.TaskName) (Created: $($task.Date))" -ForegroundColor Red
        Write-Host "    Action: $($task.Actions.Execute)" -ForegroundColor DarkGray
    }
} else {
    Write-Host "[-] No recent suspicious tasks found." -ForegroundColor Green
}

# 2. Check Volume Shadow Copy Service (VSS) Usage
Write-Host "\n[*] Checking for recent VSS manipulation events..." -ForegroundColor Yellow
$vssEvents = Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='VSS'; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue
if ($vssEvents) {
    Write-Host "[!] WARNING: Recent VSS activity detected. Check for shadow copy deletions." -ForegroundColor Red
    $vssEvents | Select-Object TimeCreated, Message | Format-Table -Wrap
} else {
    Write-Host "[-] No critical VSS events in last 24 hours." -ForegroundColor Green
}

# 3. Audit Network Interfaces for RDP exposure
Write-Host "\n[*] Checking RDP Configuration..." -ForegroundColor Yellow
$rdpStatus = Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -ErrorAction SilentlyContinue
if ($rdpStatus.fDenyTSConnections -eq 0) {
    Write-Host "[!] WARNING: RDP is ENABLED. Ensure Firewall rules block external access." -ForegroundColor Red
} else {
    Write-Host "[-] RDP is Disabled." -ForegroundColor Green
}


---

Incident Response Priorities

T-minus Detection Checklist (Pre-Encryption)

  1. Web Shell Hunt: Search IIS/Apache logs for the specific paths associated with CVE-2024-1708 and SmarterMail (CVE-2025-52691).
  2. Process Anomalies: Look for powershell.exe spawned by w3wp.exe or svchost.exe (indicating web exploitation).
  3. Firewall Logs: Immediate audit of Cisco FMC logs for deserialization attempts or unauthorized administrative logins.

Critical Assets at Risk

Based on DRAGONFORCE's exfiltration patterns:

  • Active Directory: Credential dumping is immediate.
  • File Servers: High-value data (PFI, PHI, IP) is staged to C:\Windows\Temp or hidden partitions.
  • Backups: DRAGONFORCE specifically targets VSS snapshots and backup agents (Veeam/Commvault) to prevent recovery.

Containment Actions (Ordered by Urgency)

  1. Isolate: Disconnect management interfaces (ScreenConnect, Cisco FMC) from the internet immediately.
  2. Disable: Disable local administrator accounts and enforce MFA on the VPN.
  3. Power Down: If vssadmin.exe delete shadows is observed, power down hypervisors hosting file servers to halt in-memory encryption.

Hardening Recommendations

Immediate (24 Hours)

  • Patch Management: Immediately patch CVE-2024-1708 (ScreenConnect), CVE-2025-52691 / CVE-2026-23760 (SmarterMail), and CVE-2026-20131 (Cisco FMC).
  • Access Control: Enforce MFA on all remote access tools. Disable internet access to RDP (TCP 3389) and SMB (TCP 445).

Short-term (2 Weeks)

  • Network Segmentation: Segregate backup servers from the production network.
  • Zero Trust: Implement strict allow-listing for management interfaces (e.g., ScreenConnect should only be accessible from internal admin jump hosts, not the public internet).
  • CASB: Deploy CASB solutions to monitor and control shadow IT file transfers.

Related Resources

Security Arsenal Incident Response
Managed SOC & MDR Services
AlertMonitor Threat Detection
From The Dark Side Intel Hub

darkwebransomware-gangdragonforceransomwarescreenconnectcisco-fmcinitial-accessdouble-extortion

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action