Full Report
What HappenedThroughout May 2026, affiliates of the DragonForce ransomware-as-a-service (RaaS) platform claimed seven UK-based companies as its victims by posting them on their Tor data leak site.On 27 May 2026 alone, DragonForce ended the month by posting 22 victims from around the world, four of which were UK-based firms.DragonForce’s UK-based victims from May spanned a diverse range of industries:Professional Services & Talent: Practicus (interim management/executive search)Financial & Tax Services: WSM (UK tax advisory)Infrastructure & Logistics: ERH (traffic management solutions) and Refreshment Systems (vending/logistics)Heavy Industry/Construction: Arsenal ScaffoldTechnology & IT: Helix International (managed enterprise software)Luxury Retail/Finance: Cult Wines.Analyst CommentActive since late 2023, DragonForce remains a persistent cybercriminal threat particularly towards the UK. The recent flurry of disclosures on the DragonForce ransomware Tor data leak site in May highlights a highly active and accelerating threat campaign towards the UK. This diverse range of firms indicates that DragonForce affiliates are largely opportunistic rather than specific. They tend to exploit vulnerabilities or compromised credentials wherever they find them, rather than executing a highly tailored campaign against a single industry or target.While these companies may not all be household names, some of them will be important suppliers and service providers for their local regions. Helix International in particular is a concern due to them being a managed service provider (MSP) that caters to medium, large, and Fortune 500 companies across various industries, including healthcare, finance, retail, and entertainment.The Ransomware Vulnerability Matrix Group Profile for DragonForce shows that affiliates are highly adept at targeting edge devices and remote access points, such as Ivanti Connect Secure, Fortinet FortiOS, SonicWall SSL-VPN. A recurring theme across DragonForce's Ransomware Tool Matrix Group Profile is their regular abuse of Bring Your Own Vulnerable Driver (BYOVD) tactics to bypass Endpoint Detection and Response (EDR) and Antivirus software.In June 2025, DragonForce made the news as it was used by affiliates, attributed to Scattered Spider, to attack the UK retailers M&S, Co-op, and Harrods in a string of high-profile attacks. More recently, DragonForce has reportedly been actively recruiting on English-speaking cybercrime forums.Defensive TakeawaysAttack Surface Monitoring: Based on DragonForce’s reported tactics, organisations must review their RDP (Port 3389) exposures as well as any unpatched SSL-VPNs. Prevent these exposures and apply updates as soon as possible. Any brief exposures or time when systems are left unpatched leaves an open window for the adversary to get inside.Rotate your credentials & implement MFA: It may sound simple, but a lot of these DragonForce incidents have been because of RDP and SSL-VPN account brute forcing. Therefore, the importance of using strong credentials, secure password managers, and multi-factor authentication (MFA) enabled cannot be overstated. Back Your Data Up: To increase your odds of recovering from a ransomware attack, it’s essential to maintain backups of your business critical data. However, as the DragonForce affiliates are known to target backup solutions like Veeam servers, it’s increasingly important to maintain regularly updated offline backups to be able to restore from.Relevant Sourceshttps://www.ransomware.live/group/dragonforcehttps://www.ransomware.live/map/GBhttps://x.com/falconfeedsio/status/2060220753400967490Relevant CTI Resourceshttps://github.com/BushidoUK/Ransomware-Tool-Matrix/blob/main/GroupProfiles/DragonForce.mdhttps://github.com/BushidoUK/Ransomware-Vulnerability-Matrix/blob/main/GroupProfiles/DragonForce.mdhttps://github.com/BushidoUK/Ransomware-Tool-Matrix/blob/main/CommunityReports/CR-021-DRAGONFORCE-APR-2025.mdhttps://github.com/BushidoUK/Ransomware-Tool-Matrix/blob/main/CommunityReports/CR-022-DRAGONFORCE-FEB-2026.mdhttps://github.com/BushidoUK/Ransomware-Tool-Matrix/blob/main/CommunityReports/CR-023-DRAGONFORCE-AUG-2024.md
Analysis Summary
# Incident Report: Sustained DragonForce Ransomware Campaign (May 2026)
## Executive Summary
In May 2026, the DragonForce ransomware-as-a-service (RaaS) group executed an accelerating campaign targeting seven UK-based organizations across various sectors, including professional services, finance, and critical infrastructure. The group utilizes opportunistic tactics, specifically exploiting unpatched edge devices and compromised credentials to exfiltrate data and deploy ransomware. The campaign is notable for its high volume of victims and the targeting of Managed Service Providers (MSPs) to maximize downstream impact.
## Incident Details
- **Discovery Date:** May 27, 2026 (Major data leak site update)
- **Incident Date:** Throughout May 2026
- **Affected Organizations:** Practicus (Professional Services), WSM (Finance), ERH and Refreshment Systems (Logistics), Arsenal Scaffold (Heavy Industry), Helix International (IT/MSP), and Cult Wines (Retail).
- **Sector:** Multi-sector (Professional Services, Finance, Logistics, Construction, IT, Luxury Retail).
- **Geography:** United Kingdom (Primary focus), Global (22 victims worldwide).
## Timeline of Events
### Initial Access
- **Date/Time:** May 2026 (Ongoing)
- **Vector:** Exploitation of edge devices and remote access points.
- **Details:** Affiliates leveraged unpatched vulnerabilities in Ivanti Connect Secure, Fortinet FortiOS, and SonicWall SSL-VPNs, alongside brute-forcing RDP (Port 3389).
### Lateral Movement
- DragonForce affiliates commonly move laterally across the network after gaining initial access via compromised credentials or vulnerable VPN gateways.
### Data Exfiltration/Impact
- **Details:** Business-critical data was exfiltrated for double-extortion purposes. Throughout May, seven UK firms were posted to the DragonForce Tor data leak site. On May 27, 2026, a single dump included four UK firms and 18 other global victims.
### Detection & Response
- **Discovery:** Public disclosure via the DragonForce Tor data leak site.
- **Response Actions:** Analysts identified the recruitment of English-speaking affiliates on cybercrime forums and a historical link to "Scattered Spider" affiliates.
## Attack Methodology
- **Initial Access:** Brute-force attacks on RDP/VPN and exploitation of N-day vulnerabilities in edge gateways (Ivanti, Fortinet, SonicWall).
- **Persistence:** Not explicitly detailed, but typically involves maintaining access via compromised VPN accounts.
- **Defense Evasion:** Significant use of **Bring Your Own Vulnerable Driver (BYOVD)** tactics to disable or bypass EDR and Antivirus software.
- **Impact:** Data encryption and double-extortion through public "shaming" on Tor leak sites. Targeting of Veeam backup servers to prevent recovery.
## Impact Assessment
- **Financial:** Potential for significant ransom demands and business interruption costs.
- **Data Breach:** Exfiltration of sensitive corporate, financial, and client data.
- **Operational:** Disruption to logistics and traffic management (ERH); potential downstream risk to Fortune 500 companies via Helix International (MSP).
- **Reputational:** High-profile public listing on a Tor data leak site.
## Indicators of Compromise
- **Network Indicators:**
- Traffic associated with Port 3389 (RDP) from unauthorized IPs.
- Exploitation attempts on hxxps[:]//[VPN_Gateway]/path/to/vulnerability.
- **Behavioral Indicators:**
- Unauthorized attempts to load known vulnerable drivers (BYOVD).
- Targeted activity against Veeam backup infrastructure.
- Large-scale data egress to Tor-linked infrastructure.
## Response Actions
- **Containment:** Organizations are advised to close exposed RDP ports and rotate all administrative credentials.
- **Eradication:** Patching of all edge devices (Ivanti, Fortinet, SonicWall).
- **Recovery:** Restoration of services from verified **offline** backups that were not accessible to the ransomware.
## Lessons Learned
- **Opportunistic Targeting:** DragonForce does not target specific industries; they exploit any organization with weak perimeter security.
- **MSP Risk:** The compromise of an MSP (Helix International) demonstrates that DragonForce is pursuing targets that provide access to multiple secondary victims.
- **Backup Vulnerability:** Attackers are actively hunting for backup solutions like Veeam to ensure the victim has no choice but to pay.
## Recommendations
- **Perimeter Hardening:** Immediately audit and patch all SSL-VPN and edge devices. Close RDP (Port 3389) to the public internet.
- **Identity Security:** Implement Multi-Factor Authentication (MFA) on all remote access points and enforce strong password policies.
- **Backup Integrity:** Maintain "Air-Gapped" or offline backups that are physically or logically isolated from the main network to prevent encryption by ransomware affiliates.
- **EDR Protection:** Configure Endpoint Detection and Response (EDR) tools to block the loading of unauthorized or known vulnerable drivers.