Australian gelato franchise Gelatissimo has been listed on the DragonForce ransomware gang's dark web leak site, with the threat actors claiming to have exfiltrated 352.24 gigabytes of internal data. The listing, reported by Cyber Daily on 28 April 2026, includes a sample of six screenshots showing employee, executive, and financial records spanning operations in Australia and the Philippines.

What Happened

DragonForce posted Gelatissimo to its leak site without disclosing the initial intrusion vector or ransom demand. The gang published a sample set of six screenshots as proof of access and set a countdown of just over four days before the full dataset is scheduled to be published. Gelatissimo, founded in 2002 and now Australia's largest gelato retail brand, operates more than 50 locations domestically and additional outlets overseas, including six in the Philippines. Cyber Daily reports it has contacted the company and is awaiting comment.

What Was Taken

DragonForce claims to have stolen 352.24 GB of data. The published sample contains highly sensitive personal and financial information, including:

The exposure spans staff in both Australia and the Philippines, raising privacy obligations under the Australian Privacy Act and the Philippine Data Privacy Act of 2012.

Why It Matters

Retail and hospitality franchises are increasingly attractive targets for ransomware-as-a-service (RaaS) affiliates because they combine large workforces, distributed point-of-sale infrastructure, and centralised HR and finance systems holding sensitive personal data. Tax file numbers and visa application data are particularly high-value for downstream identity fraud and tax-refund scams. The cross-border nature of the leak, with Filipino employees affected, also means Gelatissimo faces compliance scrutiny from multiple regulators simultaneously, including the OAIC and the National Privacy Commission of the Philippines.

The Attack Technique

DragonForce has not disclosed how it gained access, and Gelatissimo has not yet confirmed the breach. DragonForce operates a RaaS model in which affiliates rent the gang's ransomware platform in exchange for a share of profits. Affiliate tradecraft commonly observed in DragonForce intrusions includes phishing for valid credentials, exploitation of unpatched perimeter devices (VPN appliances, edge gateways), abuse of exposed RDP, and use of legitimate remote management tools to move laterally before staging data for exfiltration. The publication of intact internal documents, rather than encrypted file listings, suggests a data-theft-led extortion approach rather than purely encryption-based disruption.

What Organizations Should Do

  1. Audit external attack surface for exposed VPN, RDP, and remote management portals; enforce phishing-resistant MFA on all remote access.
  2. Hunt for known DragonForce affiliate indicators, including suspicious use of AnyDesk, ScreenConnect, Cobalt Strike, and SystemBC, as well as unusual outbound traffic to cloud storage providers (Mega, Rclone-driven flows).
  3. Segment HR, finance, and franchise back-office systems from store-level networks to limit lateral movement from any compromised retail endpoint.
  4. Review data minimisation: visa application forms, full tax file numbers, and bank statements should not persist in shared file servers beyond their immediate operational need.
  5. Validate offline, immutable backups and rehearse a ransomware tabletop that includes a data-leak extortion scenario rather than only an encryption scenario.
  6. For affected staff in Australia and the Philippines, prepare regulator notifications under OAIC and NPC frameworks, and stand up identity-monitoring support given the exposure of TFNs and passport-grade data.

Sources: Aussie ice-cream franchise Gelatissimo suffers alleged hack by DragonForce - Cyber Daily