Back to Intelligence

DRAGONFORCE Ransomware: Global Surge in Business Services Attacks & Detection Engineering for Critical CVEs

SA
Security Arsenal Team
May 27, 2026
6 min read

Aliases & Model: DRAGONFORCE operates as a aggressive Ransomware-as-a-Service (RaaS) affiliate model. Unlike closed groups, their high volume of postings (29 in the last 100) suggests a loosely organized network of affiliates utilizing a centralized payload and leak site infrastructure.

TTPs & Extortion: The group strictly utilizes a double-extortion model. They exfiltrate sensitive data prior to encryption and leverage their ".onion" leak site to pressure victims. Ransom demands typically range from $500,000 to $5 million USD, calibrated based on victim revenue and data sensitivity.

Initial Access: Based on the recent victimology and exploited CVEs, DRAGONFORCE affiliates are heavily prioritizing internet-facing remote management and email communication gateways rather than phishing. Their dwell time is short, averaging 3–5 days between initial access and encryption, indicating automated tooling for propagation.

Current Campaign Analysis

Sector Targeting: The latest wave (2026-05-27) shows a distinct pivot toward Business Services (Law Firms, CPAs, Logistics), which comprised 37% of the posted victims. Healthcare (Ramos Rheumatology) and Manufacturing remain secondary high-value targets.

Geographic Spread: DRAGONFORCE is executing a broad western-centric campaign. The recent list targets the US (6 victims), Germany (3), UK, Netherlands, Australia, and Switzerland. This suggests a linguistic capability in English and German, or the use of automated supply chain attacks that bypass language barriers.

Victim Profile: Targets are mid-market organizations. Law firms (e.g., FWMK Law Offices) and logistics companies (e.g., QLS Logistics) are prime targets due to their time-sensitive operations and lower tolerance for downtime, increasing the likelihood of ransom payment.

CVE Linkage: The campaign is inextricably linked to the exploitation of specific remote access and management vulnerabilities:

  • CVE-2024-1708 (ConnectWise ScreenConnect): Highly likely the primary vector for the Business Services and Managed Service Providers (MSPs) victims.
  • CVE-2025-52691 / CVE-2026-23760 (SmarterTools SmarterMail): A likely vector for the manufacturing and professional services sectors relying on on-premise mail servers.
  • CVE-2026-20131 (Cisco Secure Firewall FMC): Indicates attempts to bypass perimeter defenses entirely in more mature environments.

Detection Engineering

SIGMA Rules (YAML)

YAML
---
title: Potential ConnectWise ScreenConnect Authentication Bypass (CVE-2024-1708)
id: 6a48f5e8-9c8f-4e9a-9d2b-1a5c6f3e8d9c
status: experimental
description: Detects potential exploitation of ConnectWise ScreenConnect authentication bypass and path traversal vulnerabilities leading to webshell creation.
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/05/27
tags:
    - attack.initial_access
    - attack.web_shell
    - cve.2024.1708
logsource:
    category: web
detection:
    selection:
        cs-uri-query|contains:
            - '/Setup/Upgrade.aspx'
            - '/Bin/ScreenConnect.Service.dll'
            - 'WebService.ashx'
        cs-method: 'POST'
    condition: selection
falsepositives:
    - Legitimate administrative upgrades
level: critical

---
title: SmarterMail Webshell Upload via File Upload Vulnerability (CVE-2025-52691)
id: b1f2c3d4-5678-90ab-cdef-1234567890ab
status: experimental
description: Detects the upload of suspicious file types to SmarterMail directories, indicative of webshell activity following the exploitation of the unrestricted upload vulnerability.
references:
    - https://cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal Research
date: 2026/05/27
tags:
    - attack.initial_access
    - attack.persistence
    - cve.2025.52691
logsource:
    category: file_creation
detection:
    selection:
        TargetFilename|contains:
            - 'C:\\Program Files (x86)\\SmarterTools\\SmarterMail\\MRS\\'
            - '/var/lib/smartermail/'
        TargetFilename|endswith:
            - '.aspx'
            - '.ashx'
            - '.asmx'
    condition: selection
falsepositives:
    - Rare, legitimate administrative file maintenance
level: high

---
title: DRAGONFORCE Ransomware Pre-Encryption Activity
id: e3d4c5b6-a7b8-9c0d-1e2f-3a4b5c6d7e8f
status: experimental
description: Detects typical DRAGONFORCE pre-encryption behavior including Volume Shadow Copy deletion (via vssadmin) and mass file encryption patterns.
references:
    - Internal Threat Intelligence
author: Security Arsenal Research
date: 2026/05/27
tags:
    - attack.impact
    - attack.t1485
logsource:
    category: process_creation
detection:
    selection_vss:
        Image|endswith:
            - '\\vssadmin.exe'
            - '\\wmic.exe'
        CommandLine|contains:
            - 'delete shadows'
            - 'shadowcopy delete'
    selection_crypt:
        Image|endswith:
            - '\.exe'
        CommandLine|contains:
            - '-enc'
            - '-encrypt'
            - '--lock'
    condition: 1 of selection_
falsepositives:
    - Legitimate system administration (rare for vssadmin delete)
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for lateral movement and staging associated with DRAGONFORCE tooling
// Looks for suspicious admin tools spawned by web server processes or unusual parent-child relationships
let AdminTools = dynamic(["psexec.exe", "wmic.exe", "powershell.exe", "cmd.exe", "rclone.exe", "megacmd"]);
DeviceProcessEvents
| where Timestamp >= ago(7d)
| where FileName in~ (AdminTools)
| where InitiatingProcessFileName hasAny ("w3wp.exe", "java.exe", "svchost.exe", "smartermail.exe", "screenconnect.service.exe")
| extend FullFilePath = FolderPath + FileName
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine
| order by Timestamp desc

PowerShell Response Script

PowerShell
<#
.SYNOPSIS
    DRAGONFORCE Hardening & Investigation Script
.DESCRIPTION
    Checks for indicators of compromise related to CVE-2024-1708, SmarterMail, and common ransomware staging.
#>

Write-Host "[+] Checking for suspicious Scheduled Tasks (Last 7 Days)..." -ForegroundColor Cyan
Get-ScheduledTask | Where-Object {$_.Date -ge (Get-Date).AddDays(-7)} | Select-Object TaskName, TaskPath, Date, Author

Write-Host "[+] Checking for recent Volume Shadow Copy deletions (Event ID 5145 or VSS)..." -ForegroundColor Cyan
Get-WinEvent -FilterHashtable @{LogName='System'; ID=7036; StartTime=(Get-Date).AddHours(-24)} -ErrorAction SilentlyContinue | 
    Where-Object {$_.Message -like '*stopped*' -and $_.Message -like '*VSS*'} | Select-Object TimeCreated, Message

Write-Host "[+] Checking for ScreenConnect & SmarterMail Service Status..." -ForegroundColor Cyan
$services = @("ScreenConnect", "SmarterMail Service", "SmarterTools SmarterMail")
foreach ($svc in $services) {
    $status = Get-Service -Name $svc -ErrorAction SilentlyContinue
    if ($status) {
        Write-Host "Service: $($status.Name) - Status: $($status.Status) - StartType: $($status.StartType)"
    }
}

Write-Host "[+] Identifying open RDP ports (NetStat)..." -ForegroundColor Yellow
netstat -an | Select-String ":3389" | Measure-Object


---

Incident Response Priorities

T-Minus Detection Checklist:

  1. Web Shell Scanning: Immediate scan of IIS logs and web roots for *.aspx, *.ashx files created in the last 48 hours.
  2. Authentication Audits: Review Active Directory logs for successful logons from non-corporate IP ranges on service accounts (specifically accounts associated with Exchange or RDP).
  3. MFA Verification: Ensure all accounts with privileged access have MFA enforced; check logs for MFA bypass attempts.

Critical Exfil Assets: Based on the victim profile (Business Services/Healthcare), prioritize the search for exfiltration of:

  • Legal client databases and case files.
  • Patient Health Information (PHI) / EMR backups.
  • Financial records (Tax docs, Payroll).
  • Intellectual Property (Manufacturing schematics).

Containment Actions:

  1. Isolate Internet-Facing Servers: Immediately disconnect ScreenConnect, SmarterMail, and VPN appliances from the network if patching status is unknown.
  2. Reset Credentials: Force reset for all privileged accounts and any accounts used by the exposed services.
  3. Block Outbound C2: Block connections to known TOR nodes and anonymizing VPN exit IPs at the firewall.

Hardening Recommendations

Immediate (24 Hours):

  • Patch CVE-2024-1708: Apply the ConnectWise ScreenConnect security update immediately. If not possible, disable the web interface or enforce strict IP allow-listing.
  • Patch SmarterMail: Update SmarterMail to the latest patched version to address CVE-2025-52691 and CVE-2026-23760. Move the management interface behind a VPN.
  • Audit Cisco FMC: Review logs for exploitation attempts of CVE-2026-20131 and patch as per vendor advisory.

Short-Term (2 Weeks):

  • Zero Trust Network Access (ZTNA): Implement ZTNA for all remote management tools. Do not expose RDP or administrative web panels directly to the internet.
  • Network Segmentation: Ensure backup servers are on an isolated VLAN with strict egress filtering to prevent ransomware from encrypting backups.
  • EDR Coverage: Verify that all servers, particularly legacy Exchange and mail servers, have EDR agents installed and reporting.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangdragonforceransomwarebusiness-servicescve-2024-1708smartermailcisa-kev

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action