On May 25, 2026, the DragonForce ransomware group publicly claimed responsibility for a cyberattack against BusinessRecord.com, a U.S.-based media organization. The threat actors have listed the victim on their data leak site and are threatening to publish exfiltrated data unless the organization enters ransom negotiations. The incident was disclosed and verified by threat intelligence firm DeXpose on May 26, 2026.
What Happened
DragonForce, a ransomware-as-a-service (RaaS) operation that has rapidly expanded its affiliate program throughout 2025 and into 2026, added BusinessRecord.com to its public extortion blog. The group's claim follows the standard double-extortion playbook: encryption of internal systems combined with exfiltration of sensitive corporate data, leveraged as a coercion mechanism to force payment. Per the leak site posting, the actors are giving BusinessRecord.com a limited window to engage before sensitive files are published.
BusinessRecord.com operates as a regional business news publication serving the U.S. market. As a media entity, it likely maintains subscriber databases, editorial workflows, advertiser contracts, and internal communications, all of which represent high-value targets for extortion-driven operators.
What Was Taken
DragonForce has not yet released sample data or a full inventory of exfiltrated materials, which is consistent with their early-stage negotiation posture. Based on the typical victimology of DragonForce campaigns and the nature of BusinessRecord.com's operations, exposed datasets likely include:
- Subscriber and reader personal information, including names, emails, and billing data
- Internal editorial communications and unpublished content
- Advertiser and partner contracts containing commercial terms
- Employee HR records and payroll information
- Backend CMS credentials and access tokens
The group has signaled that publication will proceed if negotiations do not commence, suggesting a countdown timer is already active on their leak portal.
Why It Matters
Attacks against media organizations carry compounded risk beyond standard enterprise breaches. Compromised newsrooms can expose confidential sources, draft investigations, and reporter communications, threatening journalistic integrity and potentially endangering individuals. For the broader threat landscape, this incident reinforces three trends defenders should track:
- DragonForce continues to scale aggressively after absorbing affiliates displaced from disrupted RaaS brands such as LockBit and ALPHV.
- Mid-market U.S. media and publishing entities remain under-resourced relative to the threat they face, making them attractive soft targets.
- The group's willingness to publicly name victims within hours of intrusion completion signals operational confidence and a streamlined extortion pipeline.
The Attack Technique
Initial access vectors used by DragonForce affiliates in recent campaigns have included exploitation of unpatched edge devices (notably SimpleHelp and Ivanti products), phishing for valid credentials, and acquisition of access from initial access brokers operating in dark web markets. Once inside, affiliates typically deploy living-off-the-land binaries, abuse legitimate remote management tools such as AnyDesk and Atera, and conduct lateral movement via SMB and RDP before staging exfiltration through tools like Rclone or MEGA.
The specific intrusion vector used against BusinessRecord.com has not been disclosed publicly. However, the speed of the claim suggests a mature operator with pre-staged tooling rather than an opportunistic actor.
What Organizations Should Do
Media organizations and similarly-positioned mid-market entities should treat this incident as a prompt to validate the following controls:
- Patch internet-facing infrastructure immediately, prioritizing VPN gateways, file transfer appliances, and remote support tooling that DragonForce affiliates are known to exploit.
- Enforce phishing-resistant MFA across all employee, contractor, and administrative accounts, and audit for legacy authentication paths that bypass MFA.
- Validate offline, immutable backups and test restoration end-to-end. Backups stored on reachable network shares offer no protection against modern ransomware.
- Deploy EDR with behavioral detection tuned for ransomware precursors: shadow copy deletion, mass file rename activity, and suspicious use of Rclone, WinSCP, or PowerShell exfiltration.
- Monitor dark web and leak site activity for early indicators that your organization or supply chain partners have been compromised.
- Pre-establish incident response retainers with experienced ransomware responders and legal counsel before an incident occurs, not during one.
Sources: Dragonforce Targets BusinessRecord.com in Ransomware Attack - DeXpose