UK Cybercrime Journal: Sustained DragonForce Campaign

What Happened

Throughout May 2026, affiliates of the DragonForce ransomware-as-a-service (RaaS) platform claimed seven UK-based companies as its victims by posting them on their Tor data leak site.
On 27 May 2026 alone, DragonForce ended the month by posting 22 victims from around the world, four of which were UK-based firms.

DragonForce’s UK-based victims from May spanned a diverse range of industries:

Professional Services & Talent: Practicus (interim management/executive search)
Financial & Tax Services: WSM (UK tax advisory)
Infrastructure & Logistics: ERH (traffic management solutions) and Refreshment Systems (vending/logistics)
Heavy Industry/Construction: Arsenal Scaffold
Technology & IT: Helix International (managed enterprise software)
Luxury Retail/Finance: Cult Wines.

Analyst Comment

Active since late 2023, DragonForce remains a persistent cybercriminal threat particularly towards the UK. The recent flurry of disclosures on the DragonForce ransomware Tor data leak site in May highlights a highly active and accelerating threat campaign towards the UK. This diverse range of firms indicates that DragonForce affiliates are largely opportunistic rather than specific. They tend to exploit vulnerabilities or compromised credentials wherever they find them, rather than executing a highly tailored campaign against a single industry or target.

While these companies may not all be household names, some of them will be important suppliers and service providers for their local regions. Helix International in particular is a concern due to them being a managed service provider (MSP) that caters to medium, large, and Fortune 500 companies across various industries, including healthcare, finance, retail, and entertainment.

The Ransomware Vulnerability Matrix Group Profile for DragonForce shows that affiliates are highly adept at targeting edge devices and remote access points, such as Ivanti Connect Secure, Fortinet FortiOS, SonicWall SSL-VPN. A recurring theme across DragonForce's Ransomware Tool Matrix Group Profile is their regular abuse of Bring Your Own Vulnerable Driver (BYOVD) tactics to bypass Endpoint Detection and Response (EDR) and Antivirus software.

In June 2025, DragonForce made the news as it was used by affiliates, attributed to Scattered Spider, to attack the UK retailers M&S, Co-op, and Harrods in a string of high-profile attacks. More recently, DragonForce has reportedly been actively recruiting on English-speaking cybercrime forums.

Defensive Takeaways

Attack Surface Monitoring: Based on DragonForce’s reported tactics, organisations must review their RDP (Port 3389) exposures as well as any unpatched SSL-VPNs. Prevent these exposures and apply updates as soon as possible. Any brief exposures or time when systems are left unpatched leaves an open window for the adversary to get inside.
Rotate your credentials & implement MFA: It may sound simple, but a lot of these DragonForce incidents have been because of RDP and SSL-VPN account brute forcing. Therefore, the importance of using strong credentials, secure password managers, and multi-factor authentication (MFA) enabled cannot be overstated.
Back Your Data Up: To increase your odds of recovering from a ransomware attack, it’s essential to maintain backups of your business critical data. However, as the DragonForce affiliates are known to target backup solutions like Veeam servers, it’s increasingly important to maintain regularly updated offline backups to be able to restore from.

Relevant Sources

Relevant CTI Resources