DragonForce ransomware posts more than 20 victims in three days

The DragonForce ransomware operation has had a busy week. Between July 14 and July 16, 2026, the group added more than 20 organizations to its dark web extortion site, a surge that spans some 14 countries across four continents and touches manufacturing, finance, telecommunications, energy, and hospitality. IntelFusions tracks these leak site postings as they appear, and DragonForce was the single most active crew in the window.

An important caveat first: these are unverified claims. Ransomware gangs post victim names to pressure organizations into paying, and a listing is a claim of compromise, not confirmation that data was stolen or that a victim has acknowledged an incident. Several of the named companies had not commented at the time of writing.

Who DragonForce named

The freshly listed victims sit almost entirely outside the United States, a pattern that stands out against the mostly US heavy leak sites of rival crews. They include the Sinai Grand Casino in Egypt, Hong Kong bakery chain Kee Wah Bakery, cable manufacturer Midal Cables in the United Arab Emirates, auto parts maker Omax Autos in India, telecom firm Edison Global Networks in the United Kingdom, Argentine financial services firm Petrini Valores, South African chemicals producer Isegen, and Chinese and Taiwanese technology companies including Momenta and Intron Technology Holdings. The spread across small and mid sized firms in business services, manufacturing, and professional services is typical of a ransomware as a service operation whose affiliates hit whatever they can reach.

Why the volume matters

DragonForce has spent 2026 growing into one of the most prolific ransomware brands, in part by recruiting affiliates and access brokers who supply ready made entry into corporate networks. IntelFusions recently reported how an access broker exploited a Citrix vulnerability to plant DragonForce ransomware, and the group has also been tied to partnerships with the Scattered Spider intrusion crew. A sustained run of 20 plus postings in three days is consistent with that pipeline: when brokers feed in fresh access at scale, the leak site fills up quickly. You can follow the group's activity and known aliases on the DragonForce threat actor profile.

The wider ransomware ecosystem is running hot in parallel. In the same period, the crew known as The Gentlemen dumped nearly 20 victims of its own in a single day, and Qilin has been posting dozens of victims a week. The volume underscores that leak site extortion remains a numbers game, with affiliates racing to monetize stolen access before defenders can respond.

What organizations should do

Because DragonForce affiliates lean heavily on stolen credentials and unpatched edge devices, the practical defenses are the familiar ones: patch internet facing VPN and gateway appliances promptly, enforce phishing resistant multi factor authentication, watch for unusual access broker activity and credential reuse, and keep tested, offline backups so that an encryption event does not become a business ending one. Organizations that find themselves named on a leak site should treat it as a live incident, preserve logs, and engage incident response rather than negotiating blind.

This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.

Read the full analysis on IntelFusions