On May 25, 2026, the DragonForce ransomware group publicly claimed responsibility for a cyberattack against Enns & Company Professional Corporation, a well-established Canadian accounting firm operating at ennsco.ca. The threat actors have threatened to leak sensitive financial data unless the firm enters ransom negotiations, marking another high-profile strike against the professional services sector. The incident was confirmed and reported by threat intelligence platform DeXpose on May 26, 2026.
What Happened
DragonForce, a ransomware-as-a-service (RaaS) operation that has rapidly risen in prominence over the past year, added Enns & Company to its data leak site on May 25, 2026. The group issued a public statement reading: "The full leak will be published soon, unless a company representative contacts us via the channels provided." This follows DragonForce's standard double-extortion playbook, in which victims are pressured both by file encryption and the threat of public data exposure. Enns & Company has not yet issued a public statement confirming the scope of the breach or the operational impact on client services.
What Was Taken
While DragonForce has not yet released sample files to validate its claims, the group asserts possession of sensitive financial data belonging to the firm and, by extension, its clients. Given the nature of an accounting practice, exposed data likely includes corporate tax filings, payroll records, bank account details, audit working papers, social insurance numbers, personally identifiable information (PII) of clients and employees, and confidential financial statements for businesses and individuals. The downstream exposure for Enns & Company's client base presents significant secondary risk, including identity theft, business email compromise, and targeted fraud.
Why It Matters
Accounting firms are high-value targets because they sit on a concentrated trove of financial data spanning dozens or hundreds of client organizations. A single intrusion can yield material non-public information, banking credentials, and tax data covering a broad client portfolio, multiplying the blast radius far beyond the direct victim. DragonForce's activity in Canada also signals continued expansion of the group's operator base beyond traditional U.S. and European targets, and underscores the rising threat to small and mid-sized professional services firms that often lack mature security programs. With Canadian privacy regulators tightening reporting obligations under PIPEDA, the regulatory exposure for Enns & Company and its clients is substantial.
The Attack Technique
DragonForce affiliates typically gain initial access through phishing campaigns, exploitation of internet-exposed services (such as unpatched VPN appliances and remote desktop endpoints), and the use of valid credentials sourced from infostealer malware logs sold on dark web markets. Once inside, operators commonly deploy Cobalt Strike or Sliver for command and control, perform lateral movement using legitimate administrative tools (Living-off-the-Land), exfiltrate data via tools like Rclone or MEGA, and finally deploy the DragonForce locker, a variant reportedly derived from leaked LockBit and Conti source code. The specific intrusion vector at Enns & Company has not been publicly disclosed.
What Organizations Should Do
- Audit external attack surface: Identify and patch internet-facing services, particularly VPN concentrators, RDP endpoints, and remote access portals that DragonForce affiliates routinely target.
- Hunt for infostealer exposure: Check for leaked employee credentials on dark web monitoring platforms, as DragonForce frequently buys access via stealer logs from RedLine, Lumma, and StealC.
- Enforce phishing-resistant MFA: Deploy hardware tokens or FIDO2 authenticators across all privileged and remote access pathways to neutralize stolen-credential attacks.
- Validate offline, immutable backups: Confirm that backups are segmented from the production network, encrypted, and tested through full restore drills to ensure ransomware recovery is viable.
- Deploy EDR with behavior analytics: Detect Cobalt Strike beacons, Rclone exfiltration patterns, and unusual lateral movement before encryption begins.
- Engage incident response and legal counsel early: Professional services firms must coordinate with breach counsel and forensic responders to manage regulatory notifications and client communications.
Sources: Dragonforce Targets Canadian Accounting Firm Enns & Company - DeXpose