On May 25, 2026, the DragonForce ransomware group publicly claimed responsibility for a cyberattack against Saver NV (saver.nl), a leading waste management and environmental services provider headquartered in Roosendaal, Netherlands. The group posted Saver NV to its data leak site and threatened to release exfiltrated data unless a company representative opens negotiations through DragonForce's channels. The incident was reported by DeXpose on May 26, 2026.
What Happened
DragonForce added Saver NV to its dark web leak portal on May 25, 2026, accompanied by an extortion notice warning that "the full leak will be published soon, unless a company representative contacts us via the channels provided." The posting follows DragonForce's standard double-extortion playbook: compromise the target environment, exfiltrate sensitive data, deploy ransomware to encrypt systems, and then publicly name the victim to apply pressure during ransom negotiations. As of publication, Saver NV has not issued a public statement acknowledging the intrusion, and the operational impact on waste collection, processing, or municipal service delivery remains unconfirmed.
What Was Taken
DragonForce has not yet released a sample pack or itemized inventory of the stolen data, and the precise volume of exfiltrated information has not been disclosed. Based on Saver NV's business profile, the data set is likely to include corporate financial records, HR and payroll information for its workforce, contract documentation tied to municipal and commercial waste customers across the Brabant region, operational telemetry from fleet and route management systems, and internal correspondence. Customer-facing data covering municipalities and private clients is also at risk given the company's role as a regional service provider. A full leak is threatened if negotiations do not commence.
Why It Matters
Saver NV provides essential municipal services across Roosendaal and surrounding Dutch municipalities, putting this incident squarely in the critical infrastructure adjacency category that European regulators have increasingly prioritized under NIS2. A successful extortion against a waste management operator demonstrates that DragonForce continues to view mid-sized European utilities and environmental services firms as soft, high-leverage targets. The attack also reinforces a trend wasteland.me has tracked through 2026: ransomware crews are shifting downstream from large enterprises to regional operators where downtime directly disrupts citizen-facing services, increasing the political and reputational pressure to pay.
The Attack Technique
DragonForce operates as a ransomware-as-a-service (RaaS) affiliate program and has historically relied on a mix of initial access vectors including phishing with credential harvesting, exploitation of unpatched edge appliances (notably VPN concentrators and firewalls), abuse of valid accounts purchased from initial access brokers, and lateral movement via compromised RDP and SMB. Affiliates typically deploy Cobalt Strike or Sliver for command and control, use legitimate tools such as Rclone and MEGAcmd for data staging and exfiltration, and disable endpoint defenses via BYOVD (bring-your-own-vulnerable-driver) techniques before detonating the encryptor. The specific intrusion chain against Saver NV has not been published.
What Organizations Should Do
- Hunt for DragonForce TTPs: review EDR telemetry for Rclone, MEGAcmd, Cobalt Strike beacons, and unusual PowerShell or WMI activity across the past 60 days.
- Audit external attack surface: patch internet-facing VPN, firewall, and remote access appliances, and disable any legacy SSL VPN or RDP exposure that is not strictly required.
- Validate offline, immutable backups: confirm restore times for critical OT and ERP systems, and ensure backup credentials are segmented from production AD.
- Enforce phishing-resistant MFA on all remote access, email, and privileged accounts; rotate any credentials surfacing in infostealer logs.
- Segment IT from OT and fleet management networks so that an enterprise compromise cannot pivot into route planning, weighbridge, or SCADA systems.
- Pre-engage incident response counsel and a DFIR retainer before any contact is made with the threat actor; coordinate with the Dutch National Cyber Security Centre (NCSC-NL) as required under NIS2.
Sources: DragonForce Ransomware Attack on Saver NV Waste Management - DeXpose