Back to Intelligence

DRAGONFORCE Ransomware: Global Surge Exploiting ScreenConnect & Mail Vulnerabilities — 16 New Victims

SA
Security Arsenal Team
May 26, 2026
6 min read

Profile Overview: DRAGONFORCE is a recently prominent ransomware operation operating via a RaaS (Ransomware-as-a-Service) model. The group exhibits a high operational tempo, leveraging readily available exploit kits to gain initial access rather than relying solely on phishing. They are aggressive in their double-extortion tactics, frequently exfiltrating sensitive corporate data before initiating encryption.

Key TTPs:

  • Ransom Demands: Variable, typically ranging from $500k to $5M USD depending on victim revenue.
  • Initial Access: Heavily relies on unpatched external-facing infrastructure, specifically remote monitoring tools (ConnectWise ScreenConnect) and email servers (Microsoft Exchange, SmarterTools SmarterMail).
  • Dwell Time: Short to moderate. Observations suggest a dwell time of 3–7 days between initial compromise and encryption, indicating an automated or "speed-run" affiliate approach.
  • Extortion: Utilizes a clear web (Tor) leak site to pressure victims. Threatens to release employee PII, financial records, and client databases.

Current Campaign Analysis

Campaign Date: 2026-05-24 to 2026-05-26

Targeted Sectors: The campaign shows a distinct pivot towards Business Services (Accounting, Consulting, Adjustments), which comprised over 25% of the identified victims in the last 48 hours. Secondary targets include Agriculture, Manufacturing, and Construction.

Geographic Concentration: The United States is the primary target zone (60% of victims), followed by significant activity in Germany, the Netherlands, and the UK. This suggests a focus on English-speaking economies but a willingness to attack European entities.

Victim Profile: The victim list (e.g., ggroupcpas.com, epbinsurance.com) suggests DRAGONFORCE is targeting SMBs to mid-market enterprises. These organizations often have sufficient revenue to pay ransoms but may lack mature 24/7 SOC monitoring to detect initial access vectors like VPN or remote tool exploitation.

Observed Posting Frequency: High volume. The group posted 10 victims on 2026-05-25 alone, indicating a successful automated exploitation chain, likely linked to the mass exploitation of CVE-2024-1708 (ScreenConnect).

CVE Connection: There is a high-confidence correlation between this surge and the exploitation of CVE-2024-1708 (ConnectWise ScreenConnect) and CVE-2025-52691 (SmarterMail). The timing aligns with the addition of these CVEs to the CISA KEV list in early 2026, suggesting affiliates are weaponizing these vulnerabilities immediately upon public disclosure.

Detection Engineering

SIGMA Rules

YAML
---
title: Potential ScreenConnect Auth Bypass and RCE Exploit (CVE-2024-1708)
id: 45d1c9e6-8f5a-4b1c-9e5a-3b4c5d6e7f8a
description: Detects potential exploitation of ConnectWise ScreenConnect authentication bypass and path traversal vulnerabilities leading to RCE.
author: Security Arsenal Research
date: 2026/05/26
status: experimental
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\ScreenConnect.ClientService.exe'
        NewProcessName|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
            - '\pwsh.exe'
    filter_legit:
        CommandLine|contains: 'update' # May trigger on legitimate updates, tune as needed
    condition: selection and not filter_legit
falsepositives:
    - Legitimate administrative use via ScreenConnect
level: critical
---
title: SmarterMail Unrestricted File Upload Exploit (CVE-2025-52691)
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
description: Detects web shell-like activity or suspicious process execution stemming from SmarterMail web directory exploitation.
author: Security Arsenal Research
date: 2026/05/26
status: experimental
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: webserver
    product: iis
detection:
    selection_uri:
        cs-uri-query|contains:
            - '/MigrateFrom'
            - 'SortOrder='
            - '.aspx' # Common web shell extension in this context
    selection_status:
        sc-status: 200
    condition: selection_uri and selection_status
falsepositives:
    - Legitimate mail server administration
level: high
---
title: DRAGONFORCE Ransomware Pre-Encryption Staging Activity
description: Detects common patterns observed prior to DRAGONFORCE encryption, including VSS shadow deletion and mass file renaming.
author: Security Arsenal Research
date: 2026/05/26
status: experimental
logsource:
    category: process_creation
    product: windows
detection:
    selection_vss:
        CommandLine|contains:
            - 'vssadmin.exe Delete Shadows'
            - 'wbadmin delete catalog'
    selection_recon:
        Image|endswith:
            - '\ping.exe'
            - '\systeminfo.exe'
    context:
        ParentImage|contains:
            - '\cmd.exe'
            - '\powershell.exe'
    condition: 1 of selection* and context
falsepositives:
    - Legitimate system administration (backup tasks)
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for lateral movement and staging often associated with DRAGONFORCE affiliates
// Looks for SMB connections to multiple hosts followed by PSExec usage
let TimeFrame = 1h;
let SuspiciousProcesses = dynamic(["psexec.exe", "psexec64.exe", "wmic.exe", "powershell.exe"]);
let FileExtensions = dynamic([".locked", ".dragon", ".enc", ".crypt"]);
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where ProcessName in~ SuspiciousProcesses
| project DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, Timestamp
| join kind=inner (
    DeviceFileEvents
    | where Timestamp > ago(TimeFrame)
    | where FileName has_any (FileExtensions) or ActionType == "FileEncrypted"
) on DeviceName
| summarize count() by DeviceName, bin(Timestamp, 5m)
| where count_ > 5

PowerShell Response Script

PowerShell
# DRAGONFORCE Rapid Response Audit
# Checks for recent Scheduled Tasks (common persistence) and VSS manipulation

Write-Host "[!] DRAGONFORCE Response Audit - $(Get-Date)" -ForegroundColor Cyan

# 1. Check for Scheduled Tasks created in the last 24 hours (typical dwell time)
Write-Host "\n[*] Checking for Scheduled Tasks created in the last 24 hours..." -ForegroundColor Yellow
$schTasks = Get-ScheduledTask | Where-Object { $_.Date -gt (Get-Date).AddHours(-24) }
if ($schTasks) {
    foreach ($task in $schTasks) {
        Write-Host "[!] Suspicious Task Found: $($task.TaskName)" -ForegroundColor Red
        Write-Host "    Action: $($task.Actions.Execute)" -ForegroundColor DarkGray
    }
} else {
    Write-Host "[+] No recent suspicious tasks found." -ForegroundColor Green
}

# 2. Audit VSS Shadow Copy Storage (Ransomware often deletes these)
Write-Host "\n[*] Checking Volume Shadow Copy Status..." -ForegroundColor Yellow
try {
    $vss = vssadmin list shadows
    if ($vss -match "No shadows found") {
        Write-Host "[!] WARNING: No Volume Shadow Copies found. Possible deletion." -ForegroundColor Red
    } else {
        Write-Host "[+] Shadow copies present." -ForegroundColor Green
    }
} catch {
    Write-Host "[-] Error checking VSS." -ForegroundColor Gray
}

# 3. Check for unusual RDP Logons (Potential persistence)
Write-Host "\n[*] Checking for recent RDP connections (Type 10)..." -ForegroundColor Yellow
$rdpEvents = Get-WinEvent -LogName Security -FilterXPath "*[System[(EventID=4624)]] and *[EventData[Data[@Name='LogonType']='10']]]" -ErrorAction SilentlyContinue | Where-Object { $_.TimeCreated -gt (Get-Date).AddHours(-24) }
if ($rdpEvents) {
    Write-Host "[!] Recent RDP Logons detected:" -ForegroundColor Yellow
    $rdpEvents | Select-Object TimeCreated, @{N='User';E={$_.Properties[5].Value}}, @{N='IP';E={$_.Properties[19].Value}} | Format-Table
}

Incident Response Priorities

T-Minus Detection Checklist (Look NOW):

  1. ScreenConnect Logs: Review ScreenConnect.Web.config and IIS logs for the period 2026-05-24 to present. Look for URI anomalies or successful logins from unfamiliar IPs.
  2. SmarterMail/Exchange: Audit Mail service logs for web shell uploads (aspx, ashx) in the App_Data or temporary directories.
  3. Process Anomalies: Hunt for cmd.exe or powershell.exe spawning directly from w3wp.exe (IIS) or the ScreenConnect service binary.

Critical Assets at Risk:

  • HR Databases (SSNs, Tax forms)
  • Financial Systems (Bank account details, Audit files)
  • Client Lists and Intellectual Property

Containment Actions (Order by Urgency):

  1. Isolate: Immediately disconnect infected hosts from the network; do not shut down (preserve memory) if volatile data capture is possible.
  2. Credential Reset: Force reset of all domain admin credentials and service accounts used on the compromised jump boxes.
  3. Block Firewall Rules: Block outbound traffic to known DRAGONFORCE C2 infrastructure (if known) and general Tor nodes if policy permits.

Hardening Recommendations

Immediate (24 Hours):

  • Patch CVE-2024-1708: Apply the ConnectWise ScreenConnect security update immediately to all instances.
  • Patch Email Servers: Update SmarterMail and Microsoft Exchange to the latest stable versions to mitigate CVE-2025-52691 and CVE-2023-21529.
  • MFA Enforcement: Enforce phishing-resistant MFA on all remote access gateways (VPN, ScreenConnect, RDP).

Short-Term (2 Weeks):

  • Network Segmentation: Move critical backup servers and email infrastructure to an isolated management VLAN.
  • Egress Filtering: Implement strict egress filtering to prevent C2 beaconing and large-scale data exfiltration.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangdragonforceransomwarescreenconnectcve-2024-1708smartermailbusiness-services

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action