What is the latest activity observed from DragonForce ransomware?

DragonForce ransomware has claimed 7 new victims in the last 24 hours. Their recent targets include companies in the Real Estate and Manufacturing sectors, primarily located in the United Arab Emirates and Bahrain.

How many new ransomware victims were reported in the last 24 hours?

A total of 37 new ransomware victims were reported across various groups in the last 24 hours. Beyond DragonForce, M3RXDLS and DireWolf were also highly active during this period.

Which critical vulnerability are Qilin ransomware affiliates exploiting?

Qilin ransomware affiliates are actively exploiting CVE-2026-50751, a critical authentication bypass vulnerability affecting Check Point Remote Access VPNs. This exploitation provides initial access for their operations.

What are some common initial access methods used by ransomware groups?

Ransomware groups frequently gain initial access by exploiting critical vulnerabilities in VPNs and edge devices, as seen with Qilin and The Gentlemen. Spear-phishing remains another effective method, as demonstrated by the Anubis group.

What actions are being taken to disrupt ransomware financial infrastructure?

Law enforcement agencies are actively working to dismantle services that support ransomware operations. A recent example is the takedown of AudiA6, a cryptocurrency laundering service that had processed over €336 million for various cybercriminal groups.

DragonForce Ransomware Claims 7 Victims in 24h

Statistical Overview

Victim Totals

This month: 295
This quarter: 1840
Year to date: 4464
Last 24h: 37

Quarterly Breakdown

Q1: 2631 | Q2: 1840 | Q3: 0 | Q4: 0

Ransomware activity continues, with 37 new victims recorded in the last 24 hours. This adds to a total of 1840 victims this quarter. Activity comes from operations including DragonForce, M3RXDLS, and DireWolf.

Introduction

Ransomware operators posted 37 new victims in the last 24 hours. DragonForce (7 victims), M3RXDLS (6 victims), and DireWolf (4 victims) were responsible for most activity. Key sectors targeted include Real Estate, Manufacturing, and Construction & Engineering, affecting the United States and the United Arab Emirates. Qilin ransomware affiliates have been linked to a critical VPN vulnerability, CVE-2026-50751, and are actively exploiting it.

Ransomware Summary Table

#	Group	Victims (24h)	Sample Victims	Geos	Sectors
1	DragonForce	7	A. liberty engineering co. ltd, Al ishrak contracting, Al shafar grc (+4)	United Arab Emirates, Bahrain	Real Estate, Manufacturing
2	M3RXDLS	6	Fasadeconsult.no, Hbexperts-conseils.ca, Ktwhs.com (+3)	Costa Rica, Canada	Construction & Engineering, Transportation & Logistics
3	DireWolf	4	Clínica vida, Did asia, Jewelex (+1)	Spain, Thailand	Manufacturing, Healthcare
4	SLSH	4	American tower corporation, Jcpenney & several other subsdiaries under catalyst brands & authentic brands group, Madison square garden sports corp. (+1)	United States	Telecommunications, Retail & Ecommerce
5	INC Ransom	3	DISCOLABINDU, Kewaunee Scientific, Signazon_USA	United States	Legal, Professional Services
6	Gunra	2	Mhe9 logística ltda, Suárez&clavera	Uruguay, Brazil	Transportation & Logistics, Professional Services
7	Krybit	2	Aisem.gob.bo, Www.progress-security.com	Bolivia, United Arab Emirates	Healthcare, Professional Services
8	NightSpire	2	Pattono s.r.l, Sierra west jewelers	United States, Italy	Retail & Ecommerce
9	Akira	1	Ddc domus design collection	United States	Professional Services
10	Anubis	1	Fétis group & secom engineering	France	Construction & Engineering
11	BlackX	1	Daechang solution	South Korea	Manufacturing
12	Bravox	1	Ccs global tech	United States	Technology / Software

DragonForce and M3RXDLS were the most active ransomware groups, with 7 and 6 new victims respectively. DragonForce focused on Real Estate and Manufacturing in the United Arab Emirates, while M3RXDLS targeted Construction & Engineering and Transportation & Logistics firms, primarily in Canada and Costa Rica. Recent reporting details DragonForce's activity across various sectors. M3RXDLS has also shown activity recently. SLSH impacted Telecommunications and Retail & Ecommerce within the United States, claiming American Tower Corporation and JCPenney. The Anubis group carried out a targeted attack against the Adriatic Port Authority in France, disrupting critical infrastructure.

Victim Distribution

By Country

United States: 13
United Arab Emirates: 4
Hong Kong: 2
Canada: 2
Spain: 2
Thailand: 1
Uruguay: 1
Bolivia: 1
Brazil: 1
Colombia: 1

By Industry

Construction: 2
Engineering Services: 2
Legal Services: 1
Hospitality: 1
Security and Investigations: 1
Design Services: 1
Entertainment: 1
Furnishings, Fixtures & Appliances: 1
Information Technology Services: 1
Investment Banking: 1

The distribution shows ongoing targeting of North American entities, especially in the United States, along with attacks in the Middle East and parts of Europe. Various industries are affected, with Construction, Engineering, and Real Estate sectors frequently impacted. This shows consistent targeting of operational and infrastructure-related businesses.

Ransomware News

Topline

Recent intelligence shows Qilin affiliates exploiting a critical vulnerability, a large cryptocurrency laundering service takedown, and information on new ransomware operations like The Gentlemen and an Anubis incident.

Campaigns & Operations

Qilin ransomware affiliates exploit CVE-2026-50751, a critical authentication bypass vulnerability in Check Point Remote Access VPNs. The Anubis ransomware group launched a targeted operation against the Adriatic Port Authority. They used spear-phishing (T1190) for initial access, which resulted in data exfiltration and operational disruption. The Gentlemen, tracked as Phantom Mantis and operating as an AI-enhanced Ransomware-as-a-Service, has claimed 478 victims. They often gain initial access through exposed VPNs and edge devices like Cisco and Fortinet FortiGate. The operation includes a self-spreading worm mode and multi-version ransomware for various operating systems. Law enforcement agencies, including Europol and the DOJ, dismantled AudiA6, a cryptocurrency laundering service that had processed over €336 million for ransomware gangs and cybercriminals.

Vulnerabilities & TTPs

Exploiting critical vulnerabilities such as CVE-2026-50751 in Check Point VPNs is a key way groups like Qilin gain initial access. Anubis gained initial access through spear-phishing (T1190), while The Gentlemen uses exposed VPNs and edge devices. The Gentlemen's operations include a Go-based payload with hybrid encryption, a self-spreading worm capability, and post-exploitation tooling such as NetExec and EDR killers.

Technical Takeaways

Qilin ransomware affiliates actively exploit CVE-2026-50751, a critical authentication bypass in Check Point Remote Access VPN.
"The Gentlemen" ransomware (Phantom Mantis) has advanced features like a self-spreading worm mode and cross-platform targeting (Windows, Linux, ESXi).
Spear-phishing (T1190) remains an effective initial access method for ransomware operations, as demonstrated by Anubis.
The dismantling of the AudiA6 crypto laundering service shows ongoing law enforcement efforts to disrupt ransomware financial infrastructure.
Ransomware groups continue to target the Manufacturing, Real Estate, and Construction & Engineering sectors globally, with a concentration in the United States and United Arab Emirates.

DragonForce Ransomware: Tactics and Targeting Patterns

DragonForce has emerged as a persistent threat actor with a clear preference for high-value targets in the Middle East and Asia-Pacific regions. Key operational characteristics include:

Double extortion model: Data exfiltration before encryption maximizes leverage
Sector focus: Real estate, manufacturing, and construction firms are primary targets
Geographic concentration: UAE and Bahrain account for the majority of recent victims
Affiliate structure: Operates a ransomware-as-a-service (RaaS) model attracting experienced affiliates

Organizations in these sectors should prioritize endpoint detection and network segmentation to reduce exposure. See our DragonForce threat profile

Understanding the 24-Hour Victim Surge

A spike of 7 victims claimed by a single group within 24 hours signals either a coordinated campaign or exploitation of a newly disclosed vulnerability. Analysts should consider:

Opportunistic timing: Ransomware groups often accelerate attacks after major vulnerability disclosures
Pre-positioned access: Threat actors may have established footholds weeks before encryption
Automated deployment: Modern ransomware tooling enables rapid, parallel victim processing
Negotiation pressure tactics: High victim counts force faster ransom decisions

Tracking velocity trends alongside victim totals provides early warning of escalating campaigns. Explore our ransomware velocity tracker

Defensive Recommendations for Targeted Sectors

With real estate and manufacturing firms consistently appearing in DragonForce victim lists, sector-specific defenses are critical:

Patch management: Prioritize internet-facing VPN and remote access infrastructure immediately
Backup isolation: Maintain offline, immutable backups tested monthly
Access controls: Enforce MFA across all administrative and remote access accounts
Threat intelligence subscriptions: Monitor ransomware leak sites for early breach indicators
Incident response planning: Establish pre-negotiated IR retainer agreements before an incident occurs

Proactive hardening remains the most cost-effective defense against ransomware operators at this activity level.

Accessibility

DragonForce Ransomware Claims 7 Victims in 24h