The DragonForce ransomware group has added EPB Insurance, the trade name of Minnesota-based independent agency Ekblad, Pardee & Bewell, Inc., to its dark web leak site. The post, dated May 25, 2026, surfaced on a forum monitored by Yazoul Security, which has not yet independently verified the claim. No data samples, file trees, or proof-of-compromise artifacts have been published, leaving both the volume and authenticity of the alleged breach in question.
What Happened
DragonForce operators posted EPB Insurance (epbinsurance.com) to their extortion leak site on May 25, 2026, asserting they had compromised the agency's network. EPB is a multi-state independent insurance broker licensed in Minnesota, Wisconsin, South Dakota, and Arizona, selling auto, home, life, health, and business insurance products. The group has not disclosed the volume of allegedly exfiltrated data, attached samples, or provided any technical indicators tying them to the agency's environment. As of publication, EPB Insurance has not issued a public statement, and no encryption event has been independently confirmed.
What Was Taken
The threat actor has not enumerated specific record types or file counts. Based on the victim's line of business, any genuine compromise of a brokerage of this profile would likely expose policyholder PII (names, addresses, dates of birth, Social Security numbers), policy and claims documentation, premium and payment records, driver's license and vehicle data tied to auto coverage, protected health information tied to life and health products, and commercial client underwriting files. Employee HR and payroll data is also a common collateral target in mid-market agency intrusions. Until DragonForce publishes proof or EPB confirms, the scope remains speculative.
Why It Matters
Independent insurance agencies sit on dense concentrations of PII and PHI but typically run far leaner security programs than the carriers they place business with. They are a recurring soft target for extortion crews, who exploit the regulatory pressure of state insurance commissioners, the NAIC Insurance Data Security Model Law, and HIPAA where health lines are involved to accelerate ransom payment. A confirmed breach at EPB would trigger notification obligations across four state regimes simultaneously and could cascade to the carriers whose appointed agents handle the underlying policies. Even an unverified claim places defenders on notice that DragonForce is actively prospecting the U.S. mid-market insurance vertical.
The Attack Technique
DragonForce has not described initial access in the EPB post, and no IOCs have been released. Open-source reporting on the group's prior intrusions describes a tooling pattern centered on hands-on-keyboard operations: Mimikatz for credential harvesting from LSASS, Advanced IP Scanner and SoftPerfect NetScan for internal network mapping, and PingCastle for Active Directory enumeration and trust path analysis. This stack is consistent with operators who land via exposed RDP, VPN appliances missing patches, or phishing-delivered loaders, then pivot toward domain dominance before staging exfiltration and deploying the locker. The group's overall victim count and track record remain limited in open sources, which warrants additional skepticism toward unverified claims.
What Organizations Should Do
- Hunt for the DragonForce tooling fingerprint: Mimikatz execution patterns, unsigned Advanced IP Scanner and NetScan binaries on non-admin workstations, and PingCastle runs outside of sanctioned audit windows.
- Enforce phishing-resistant MFA on all VPN, RDP gateways, Microsoft 365, and remote management tooling, and audit for legacy authentication paths that bypass it.
- Tier and isolate Active Directory: restrict Domain Admin logons to Privileged Access Workstations, deploy LAPS, and remediate the high-risk findings PingCastle would surface before the adversary does.
- Validate that backups are immutable, off-domain, and tested for restore, and segment file shares so a single compromised account cannot enumerate the entire data estate.
- Insurance agencies specifically: review NAIC Model Law and state-specific incident response and notification obligations now, before an incident forces a 72-hour scramble, and confirm cyber insurance carrier contact paths.
- Subscribe to DragonForce leak site monitoring and treat any further EPB-related post as a trigger for accelerated tabletop and customer communications planning.
Sources: EPB Insurance Ransomware Attack by DragonForce (May 2026)