On May 25, 2026, the DragonForce ransomware group publicly claimed responsibility for a cyberattack against SPH Value (sphvalue.com), a U.S. financial analysis and valuation services firm. The group has threatened to publish exfiltrated data unless the victim initiates negotiations through their designated channels, marking another financial-sector compromise added to DragonForce's growing victim portfolio.
What Happened
DragonForce listed SPH Value on its dark web leak site on May 25, 2026, accompanied by a public extortion statement: "The full leak will be published soon, unless a company representative contacts us via the channels provided." The posting follows DragonForce's established double-extortion playbook, where data is exfiltrated prior to encryption and then weaponized as leverage against the victim. SPH Value, headquartered in the United States, has not issued a public statement confirming or denying the breach at the time of reporting. The incident was first surfaced by threat intelligence firm DeXpose, which tracks ransomware leak site activity in near real-time.
What Was Taken
DragonForce has not disclosed the specific volume or categories of data exfiltrated from SPH Value at this stage, a common pressure tactic intended to extend the negotiation window. Given SPH Value's role in financial analysis and valuation services, likely exposed assets include client financial records, proprietary valuation models, M&A advisory documentation, due-diligence files, internal communications, and personally identifiable information (PII) belonging to clients and employees. Financial sector breaches of this nature frequently contain material non-public information (MNPI), which carries additional regulatory and market-abuse risk if leaked.
Why It Matters
Financial analysis and valuation firms occupy a high-trust position in corporate transactions and capital markets, holding sensitive data that can move markets if exposed. A leak of SPH Value's client engagements could compromise pending deals, expose confidential corporate strategy, and trigger SEC disclosure obligations for affected clients. DragonForce, which emerged in late 2023 and accelerated its operations throughout 2024 and 2025, has increasingly pivoted toward mid-market professional services firms, where security maturity often lags behind the sensitivity of the data held. The group's continued targeting of U.S. financial services organizations underscores a broader pattern of ransomware actors prioritizing high-leverage verticals with tight regulatory exposure.
The Attack Technique
DragonForce has not publicly disclosed the initial access vector used against SPH Value. Based on the group's prior tradecraft, common entry points include compromised credentials sourced from infostealer logs, exploitation of unpatched edge devices (VPN concentrators, firewalls), phishing with malicious attachments, and abuse of exposed RDP services. After gaining a foothold, DragonForce affiliates typically deploy commodity tooling such as Cobalt Strike, AnyDesk, or PsExec for lateral movement, harvest credentials via Mimikatz, exfiltrate data using Rclone or MEGA, and then deploy their ransomware payload, which is built on leaked LockBit Black and Conti codebases.
What Organizations Should Do
- Audit credential exposure: Continuously monitor dark web markets, paste sites, and infostealer dumps for leaked employee and service-account credentials tied to corporate domains.
- Validate offline backups: Maintain immutable, air-gapped backups and routinely test restoration procedures to ensure recovery is viable without paying a ransom.
- Harden external attack surface: Patch all internet-facing infrastructure, disable unnecessary RDP exposure, and require phishing-resistant MFA on all remote access.
- Hunt for precursor activity: Proactively search SIEM and EDR telemetry for indicators associated with DragonForce affiliates, including suspicious Rclone or MEGA traffic, unusual PsExec usage, and Cobalt Strike beacons.
- Segment sensitive data stores: Isolate financial models, client engagement files, and MNPI repositories behind strict access controls and behavioral monitoring.
- Prepare an incident response playbook: Engage legal counsel, regulators, and qualified DFIR firms in advance, and never open direct dialogue with ransomware actors without expert representation.