Back to Intelligence

DRAGONFORCE Ransomware: Global Campaign Targets Manufacturing & Business Services — Detection & Mitigation Guide

SA
Security Arsenal Team
July 15, 2026
9 min read

DRAGONFORCE (also referred to as "DragonForce" in underground forums) is a RaaS (Ransomware-as-a-Service) operation that emerged in early 2024. The group operates an affiliate program where they provide the ransomware payload to independent attackers who handle the initial access and execution, with DRAGONFORCE managing payment negotiations and leak site operations.

Ransom Demands: The group typically demands between $400,000 and $2 million USD in cryptocurrency, scaled according to the victim organization's revenue and data value.

Initial Access Methods: DRAGONFORCE affiliates primarily gain access through:

  • Phishing campaigns with malicious macros
  • Exploitation of exposed VPN services and credentials
  • RDP brute force attacks on weakly protected systems
  • Supply chain compromises in partner organizations

Double Extortion Approach: DRAGONFORCE employs a sophisticated double extortion model. After initial access, they spend time exfiltrating sensitive data before encrypting systems, then threaten to release stolen data if the ransom isn't paid.

Average Dwell Time: Estimated at 7-14 days before detonation, during which they conduct reconnaissance, lateral movement, credential theft, and data staging.

Known TTPs:

  • Use of PsExec and WMI for lateral movement
  • Deployment of Cobalt Strike beacons for command and control
  • Leveraging Mimikatz for credential dumping
  • Utilization of Rclone for data exfiltration staging
  • Manipulation of Volume Shadow Copies to prevent recovery
  • Clearing Windows Event Logs post-encryption

Current Campaign Analysis

Sectors Being Targeted:

  • Business Services: 5 victims (33% of identified victims)
  • Manufacturing: 4 victims (27%)
  • Telecommunication: 2 victims (13%)
  • Technology: 1 victim (7%)
  • Energy: 1 victim (7%)
  • Not Found/Unknown: 2 victims (13%)

Geographic Concentration:

  • US: 5 victims (33%)
  • China: 2 victims (13%)
  • UK: 1 victim (7%)
  • Italy: 1 victim (7%)
  • Switzerland: 1 victim (7%)
  • India: 1 victim (7%)
  • UAE: 1 victim (7%)
  • Taiwan: 1 victim (7%)
  • South Africa: 1 victim (7%)
  • Mexico: 1 victim (7%)

Victim Profile: The current campaign primarily targets small to mid-sized enterprises (SMEs) with annual revenues between $10M-$500M. These organizations often lack comprehensive security monitoring and mature incident response capabilities.

Posting Frequency/Escalation Patterns: DRAGONFORCE has posted 15 victims within a 24-hour period (July 14-15, 2026), indicating an acceleration of their affiliate operations. This represents a 15% increase in their average posting frequency over the past month.

CVE Connection: No direct KEV (Known Exploited Vulnerability) matches were identified in this timeframe, suggesting the group is relying primarily on credential-based access and social engineering rather than vulnerability exploitation.

Detection Engineering

SIGMA Rules:

YAML
---
title: Potential DragonForce Ransomware Initial Access via VPN Exploitation
description: Detects suspicious VPN authentication patterns often associated with DragonForce ransomware initial access
author: Security Arsenal
status: experimental
date: 2026/07/15
references:
    - https://securityarsenal.com/threat-research/dragonforce
tags:
    - attack.initial_access
    - attack.t1078
    - attack.t1190
    - dragonforce
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4624|4625
        LogonType: 10|8|2
    filter:
        SubjectUserName|startswith: 'DWM-'
        SubjectUserName|endswith: 'AUDIT'
    timeframe: 2h
    condition: selection and not filter | count() > 20
falsepositives:
    - Legitimate remote workers with unstable connections
level: high
---
title: DragonForce Lateral Movement via PsExec
description: Detects execution of PsExec which is frequently used by DragonForce for lateral movement
author: Security Arsenal
status: experimental
date: 2026/07/15
references:
    - https://securityarsenal.com/threat-research/dragonforce
tags:
    - attack.lateral_movement
    - attack.t1021.002
    - attack.s0078
    - dragonforce
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\\PsExec.exe'
        CommandLine|contains:
            - '-accepteula'
            - '-s'
            - '-d'
    condition: selection
falsepositives:
    - System administration activities
    - Legitimate software deployment
level: high
---
title: DragonForce Data Staging via Rclone
description: Detects execution of rclone, a tool frequently used by DragonForce for data exfiltration staging
author: Security Arsenal
status: experimental
date: 2026/07/15
references:
    - https://securityarsenal.com/threat-research/dragonforce
tags:
    - attack.exfiltration
    - attack.t1041
    - attack.s1022
    - dragonforce
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\\rclone.exe'
        CommandLine|contains:
            - 'config'
            - 'copy'
            - 'sync'
    filter:
        CommandLine|contains:
            - 'update'
            - 'version'
    condition: selection and not filter
falsepositives:
    - Legitimate backup operations using rclone
level: high


Microsoft Sentinel KQL Query:
kql
// DragonForce Lateral Movement and Pre-Encryption Staging Hunt
let Timeframe = 7d;
let SuspiciousProcesses = datatable(ProcessName:string, Description:string) [
    "PsExec.exe", "Remote execution tool used by DragonForce for lateral movement",
    "rclone.exe", "Data transfer tool used for exfiltration staging",
    "mimikatz.exe", "Credential theft tool commonly used by DragonForce",
    "procdump.exe", "Process dump tool used for LSASS extraction",
    "rar.exe", "Archive tool used for data staging",
    "7z.exe", "Archive tool used for data staging"
];
let SuspiciousCommands = datatable(Command:string, Description:string) [
    "vssadmin", "Volume shadow manipulation",
    "wmic shadowcopy", "Volume shadow manipulation",
    "wbadmin", "Backup manipulation",
    "bcdedit", "Boot configuration manipulation",
    "wevtutil cl", "Event log clearing",
    "cipher /w", "Disk wiping preparation"
];
let ProcessCreationEvents =
    DeviceProcessEvents
    | where Timestamp > ago(Timeframe)
    | join kind=inner (SuspiciousProcesses) on ProcessName
    | project Timestamp, DeviceName, ProcessName, ProcessCommandLine, AccountName, InitiatingProcessFileName;
let CommandLineEvents =
    DeviceProcessEvents
    | where Timestamp > ago(Timeframe)
    | extend Command = tostring(ProcessCommandLine)
    | join kind=inner (SuspiciousCommands) on $left.Command contains $right.Command
    | project Timestamp, DeviceName, ProcessName, ProcessCommandLine, AccountName, InitiatingProcessFileName;
union ProcessCreationEvents, CommandLineEvents
| summarize Count=count(), FirstSeen=min(Timestamp), LastSeen=max(Timestamp) by DeviceName, ProcessName, AccountName
| where Count > 3
| order by Count desc, LastSeen desc


Rapid Response PowerShell Script:
powershell
# DragonForce Post-Compromise Assessment Script
# Run this script on potentially compromised systems to identify common DRAGONFORCE TTPs

Write-Host "[+] DragonForce Post-Compromise Assessment" -ForegroundColor Yellow
Write-Host "[+] Starting assessment at $(Get-Date)" -ForegroundColor Yellow

# Check for suspicious scheduled tasks added in the last 7 days
Write-Host "\n[*] Checking for recently added scheduled tasks (last 7 days)..." -ForegroundColor Cyan
$suspiciousTasks = Get-ScheduledTask | Where-Object {
    $_.Date -gt (Get-Date).AddDays(-7) -and 
    ($_.Actions.Execute -match 'powershell|cmd|rundll32' -or $_.Actions.Arguments -match '-enc|EncodedCommand')
}
if ($suspiciousTasks) {
    Write-Host "[!] Found $($suspiciousTasks.Count) suspicious scheduled tasks:" -ForegroundColor Red
    $suspiciousTasks | Format-List TaskName, Date, Actions, Author
} else {
    Write-Host "[-] No suspicious scheduled tasks found." -ForegroundColor Green
}

# Check for recently modified Volume Shadow Copies
Write-Host "\n[*] Checking for Volume Shadow Copy manipulation..." -ForegroundColor Cyan
$vssCheck = Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-ShadowCopy/Operational'; ID=14} -ErrorAction SilentlyContinue | Where-Object { $_.TimeCreated -gt (Get-Date).AddDays(-7) }
if ($vssCheck) {
    Write-Host "[!] Volume Shadow Copies recently modified/recommended for deletion:" -ForegroundColor Red
    $vssCheck | Select-Object TimeCreated, Message | Format-List
} else {
    Write-Host "[-] No recent Volume Shadow Copy manipulation detected." -ForegroundColor Green
}

# Check for RDP exposure
Write-Host "\n[*] Checking for RDP exposure..." -ForegroundColor Cyan
$rdpStatus = Get-Service -Name TermService -ErrorAction SilentlyContinue
if ($rdpStatus -and $rdpStatus.Status -eq 'Running') {
    Write-Host "[!] RDP service is running. Verify it is not exposed to the internet." -ForegroundColor Red
    $rdpListeners = Get-NetTCPConnection -State Listen -LocalPort 3389 -ErrorAction SilentlyContinue
    if ($rdpListeners) {
        Write-Host "[!] RDP is listening on:" -ForegroundColor Red
        $rdpListeners | Format-List LocalAddress, LocalPort, State, OwningProcess
    }
} else {
    Write-Host "[-] RDP service is not running." -ForegroundColor Green
}

# Check for common DRAGONFORCE artifacts in common directories
Write-Host "\n[*] Checking for DRAGONFORCE artifacts..." -ForegroundColor Cyan
$dragonforceArtifacts = @("dragonforce", "readme_dragonforce", "how_to_decrypt", "restore_files", "encrypted_files")
$commonPaths = @("C:\Users\Public\", "C:\Windows\Temp\", "C:\Temp\")
foreach ($path in $commonPaths) {
    if (Test-Path $path) {
        Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue | Where-Object {
            $dragonforceArtifacts | Where-Object { $_.Name -like "*$_*" }
        } | ForEach-Object {
            Write-Host "[!] Potential DragonForce artifact found: $($_.FullName)" -ForegroundColor Red
        }
    }
}

Write-Host "\n[+] Assessment completed at $(Get-Date)" -ForegroundColor Yellow

Incident Response Priorities

T-Minus Detection Checklist:

  • Monitor for unusual VPN login patterns (multiple failed attempts followed by success)
  • Hunt for PsExec, WMI, or RDP usage by unexpected accounts
  • Check for large volumes of data being transferred to external cloud storage
  • Monitor for processes associated with credential dumping (Mimikatz, Procdump)
  • Watch for mass file encryption indicators (file renames with unusual extensions)
  • Detect changes to backup configurations and VSS shadow copy manipulation

Critical Assets Historically Prioritized by DRAGONFORCE:

  • Financial databases and records
  • Customer PII and PHI data
  • Intellectual property and proprietary designs
  • Executive communications and emails
  • Supplier/partner contracts and relationships
  • Source code and product specifications

Containment Actions (Ordered by Urgency):

  1. Immediate (0-2 hours):

    • Isolate affected systems from the network
    • Suspend VPN access and issue forced password resets
    • Disable non-essential service accounts
    • Preserve volatile memory evidence
  2. Urgent (2-12 hours):

    • Identify and contain lateral movement pathways
    • Block command and control domains/IPs
    • Revoke standing access privileges for potentially compromised accounts
    • Implement network segmentation for critical systems
  3. Important (12-24 hours):

    • Conduct forensic analysis of initial access vector
    • Validate backup integrity before restoration
    • Review and harden remote access configurations
    • Notify potentially affected customers/partners

Hardening Recommendations

Immediate (24 hours):

  1. Enforce MFA on all remote access: Implement multi-factor authentication for VPN, RDP, and any remote service access. DRAGONFORCE frequently exploits credentials without MFA.

  2. Audit and lock down VPN access: Review VPN access logs for unusual patterns and restrict access to only necessary personnel.

  3. Update RDP configurations: Disable RDP where not essential, enforce Network Level Authentication (NLA), and ensure RDP is not exposed to the internet.

  4. Deploy additional monitoring: Enhance logging on critical systems to detect PsExec, WMI, and PowerShell usage by non-administrative accounts.

  5. Disable unnecessary services: Turn off unused services that could be abused for lateral movement (e.g., WMI, WinRM).

Short-term (2 weeks):

  1. Implement network segmentation: Separate critical business systems from general networks to limit potential lateral movement.

  2. Enhance email security: Deploy advanced email filtering and user education to reduce phishing success rates.

  3. Review and harden account permissions: Implement the principle of least privilege and remove excessive administrative rights.

  4. Enhance backup protection: Implement immutable backup solutions and regular backup integrity testing.

  5. Conduct user access reviews: Audit and revoke unnecessary access, especially for service accounts and third-party vendors.

  6. Implement privileged access management: Deploy a privileged access management solution to monitor and control administrative activities.

  7. Conduct red team exercises: Test detection capabilities against simulated DRAGONFORCE TTPs.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangdragonforceransomwaremanufacturingbusiness-servicestelecomransomware-as-a-service

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.