DragonForce Ransomware Claims Attack on HELIX INTERNATIONAL, Threatens Data Leak

Executive Summary

On May 24, 2026, the ransomware group DragonForce added HELIX INTERNATIONAL, a U.S. software and managed services provider (MSP), to its list of victims. In a post on its data leak site, the group claimed to have successfully breached the company and exfiltrated sensitive data. DragonForce is now employing a double extortion strategy, threatening to publish the stolen data unless HELIX INTERNATIONAL pays a ransom. This incident highlights the continued targeting of MSPs by ransomware gangs, as compromising an MSP can provide access to a multitude of downstream clients.

Threat Overview

The attack follows a standard RaaS (Ransomware-as-a-Service) playbook. DragonForce, the operator, has publicly shamed its victim to apply pressure. The group's statement, "The full leak will be published soon, unless a company representative contacts us," is a classic ultimatum designed to force the victim into negotiations.

At this stage, the exact details of the attack—such as the initial access vector and the specific data exfiltrated—are not publicly known. However, common tactics used by groups like DragonForce include:

Exploiting unpatched vulnerabilities in public-facing services (T1190 - Exploit Public-Facing Application).
Using stolen credentials obtained from infostealer malware or dark web markets (T1078 - Valid Accounts).
Spearphishing campaigns targeting employees (T1566 - Phishing).

Once inside the network, the group would have performed reconnaissance, escalated privileges, and located and exfiltrated valuable data (T1560 - Archive Collected Data) before potentially deploying ransomware to encrypt systems (T1486 - Data Encrypted for Impact).

Impact Assessment

A successful attack on an MSP like HELIX INTERNATIONAL can have a devastating cascading impact. The primary victim is the MSP itself, facing operational disruption, reputational damage, and financial loss. However, the greater risk lies with the MSP's clients. The threat actor may have stolen data belonging to multiple downstream customers, or they could use their access to the MSP's infrastructure to launch further attacks against those customers. The threat to leak data creates significant pressure, as it could expose the sensitive information of not just one, but potentially dozens or hundreds of other companies.

IOCs — Directly from Articles

No specific Indicators of Compromise were provided in the source articles.

Cyber Observables — Hunting Hints

To detect activity associated with ransomware groups like DragonForce, security teams should hunt for:

Type

process_name

Value

rclone.exe, megacmd.exe

Description

Threat actors frequently use legitimate data synchronization tools to exfiltrate large volumes of data to cloud storage.

Type

command_line_pattern

Value

vssadmin.exe delete shadows /all /quiet

Description

A classic ransomware precursor activity, aimed at deleting volume shadow copies to prevent easy system restoration.

Type

network_traffic_pattern

Value

Large, sustained data uploads to cloud storage providers (e.g., Mega, Dropbox) from servers or endpoints that do not normally perform such activity.

Description

This is a strong indicator of data exfiltration.

Type

file_name

Value

*.dragonforce (example)

Description

Look for files with unusual extensions, which indicate that ransomware has encrypted them. The exact extension varies by campaign.

Detection & Response

Upon discovering such an attack, the recommended incident response steps are:

Containment: Isolate the affected systems from the network to prevent further spread of ransomware or continued data exfiltration.
Compromise Assessment: Engage a professional incident response team to determine the initial access vector, the scope of the breach, what data was exfiltrated, and whether the attacker still has persistent access.
Backup Validation: Immediately check the integrity and accessibility of backups. Ensure they are offline and were not compromised by the attacker.
Communication: Do not contact the threat actor before consulting with incident response and legal counsel. Develop a communication plan for notifying affected customers and regulatory bodies.

Mitigation

To prevent such attacks, MSPs and their clients should implement the following controls:

Patch Management: Aggressively patch all internet-facing systems and applications to close known vulnerability-based entry points. See M1051 - Update Software.
Multi-Factor Authentication (MFA): Enforce MFA on all remote access solutions (VPNs, RDP) and critical accounts to protect against credential theft. See M1032 - Multi-factor Authentication.
Egress Filtering and Monitoring: Monitor outbound network traffic for signs of large-scale data exfiltration. Block connections to known malicious or non-business-related cloud storage services. This aligns with M1037 - Filter Network Traffic.
Immutable Backups: Maintain segmented, immutable, and offline backups that cannot be deleted or altered by an attacker who has compromised the primary network. Regularly test the restoration process.

Ransomware Group DragonForce Targets U.S. MSP HELIX INTERNATIONAL in Extortion Attack