The DragonForce ransomware group has claimed responsibility for a coordinated wave of intrusions striking organizations on both sides of the Atlantic, with confirmed disruption at Heartland Growers in Westfield, Indiana and HELIX INTERNATIONAL in the United Kingdom. The pairing of a major Midwest greenhouse supplier with a UK enterprise content management and data migration provider underscores DragonForce's shift toward hybrid targeting of physical supply chains and digital infrastructure in the same campaign window.
What Happened
Heartland Growers, one of the largest wholesale greenhouse operators serving Midwest retail and agricultural distribution, suffered a significant intrusion that interrupted greenhouse operations and distribution channels. Internal systems were reportedly encrypted, forcing operational downtime and a switch to manual fallback procedures for inventory and logistics scheduling.
In parallel, HELIX INTERNATIONAL, a UK based provider of enterprise content management and large scale data migration services, was confirmed as a second DragonForce victim. The attackers claim unauthorized access to sensitive enterprise systems used to service corporate clients. Both incidents have been listed on DragonForce's extortion infrastructure, consistent with the group's signature double extortion model.
What Was Taken
DragonForce has indicated that data was exfiltrated from both environments prior to encryption, in line with its standard playbook. While neither victim has published a public disclosure detailing precise data volumes, the claimed scope spans:
- Internal operational data from Heartland Growers, including environmental monitoring telemetry, distribution schedules, retailer order data, and employee records.
- Enterprise client material held by HELIX INTERNATIONAL, including content management repositories and data migration project artifacts that may contain downstream customer documents and credentials.
The HELIX exposure is the more systemically concerning of the two, given that managed service providers typically aggregate sensitive assets from many client tenants in a single environment.
Why It Matters
The agricultural angle is not cosmetic. Modern greenhouse operations depend on continuous environmental monitoring, automated irrigation, and tightly scheduled logistics. A disruption during the spring shipping window can translate directly into perished plant inventory, missed retail commitments, and cascading shortages at garden centers and big box partners across the Midwest.
The HELIX INTERNATIONAL compromise carries supply chain risk that extends well beyond the company itself. Content management and data migration providers sit at the center of customer data lifecycles, and a breach there can yield ready made access into multiple downstream organizations through stored credentials, API tokens, and migration source systems.
Taken together, the two intrusions illustrate DragonForce's continued strategy of pairing high pressure operational targets with high leverage service provider targets in the same campaign to maximize ransom outcomes.
The Attack Technique
DragonForce operates as a ransomware as a service brand whose affiliates have historically relied on a recurring set of initial access vectors: exploitation of unpatched perimeter appliances such as VPN concentrators and edge firewalls, phishing led credential theft followed by abuse of remote management tooling, and reuse of stolen or brokered credentials against exposed RDP and SSL VPN portals. Post compromise tradecraft typically includes credential harvesting from domain controllers, lateral movement via RMM and PsExec style tooling, exfiltration over cloud storage services, and deployment of the DragonForce encryptor across virtualized infrastructure including ESXi hosts.
Neither Heartland Growers nor HELIX INTERNATIONAL has publicly confirmed the specific intrusion vector at this time, but the operational symptoms reported, simultaneous encryption and exfiltration claims, align with the group's established pattern.
What Organizations Should Do
- Audit all internet facing remote access, VPN, and edge appliances for missing patches and enforce multifactor authentication on every external authentication surface.
- Inventory and harden managed service provider connections, rotating any shared credentials, API keys, and migration tokens, and reviewing tenant isolation on third party platforms.
- Segment operational technology and supply chain critical systems, including environmental monitoring and logistics scheduling, from general corporate IT to contain ransomware blast radius.
- Validate offline, immutable backups for both file systems and virtualization layers, and rehearse restoration of ESXi and hypervisor hosts specifically, which DragonForce affiliates routinely target.
- Deploy or tune EDR to alert on RMM tool abuse, suspicious PsExec activity, mass file rename behavior, and bulk outbound transfers to cloud storage endpoints commonly used for exfiltration.
- Brief incident response, legal, and communications leads on dual track ransomware scenarios where extortion proceeds even if encryption is contained, and pre stage external counsel and DFIR retainers.