The DragonForce ransomware group claims to have breached Synmosa Biopharma, a Taipei-based specialty pharmaceutical corporation, posting the company on its dark web extortion portal. The threat actors allege exfiltration of 280.15 GB of corporate and operational data, with a publication countdown of roughly 34 days before the stolen information is threatened to be leaked.

What Happened

DragonForce listed Synmosa Biopharma on its leak site as a confirmed victim of a successful intrusion and data theft operation. The group, which operates a ransomware-as-a-service (RaaS) model, follows the now-standard double extortion playbook: encrypt the victim's environment, exfiltrate sensitive data, and pressure payment under threat of public disclosure. The countdown timer of approximately 34 days is consistent with DragonForce's established negotiation windows, giving Synmosa a narrow runway to either pay, negotiate, or prepare for full data exposure.

Synmosa Biopharma, established in 1980 and headquartered in Taipei City, operates across multiple verticals including pharmaceutical agency representation, manufacturing, OEM production, and research and development. This diversified footprint significantly expands the potential blast radius of any stolen data, touching partners, contract manufacturers, regulators, and patients.

What Was Taken

According to DragonForce's leak site posting, the threat actors claim to possess 280.15 GB of unspecified corporate and operational files. While exact categories have not been disclosed, intrusions against pharmaceutical organizations of this scale typically yield:

• Proprietary R&D documentation, formulations, and clinical research data
• OEM and contract manufacturing agreements with third-party partners
• Regulatory filings and correspondence with health authorities
• Employee records, payroll, and HR data
• Financial records, supplier invoices, and procurement contracts
• Internal email archives and executive communications

The volume suggests a deep, sustained presence in the network rather than a smash-and-grab operation.

Why It Matters

Pharmaceutical companies sit at a high-value intersection of intellectual property, regulated data, and operational technology. A breach of a Taiwanese specialty pharma firm has implications beyond the immediate victim. Stolen R&D and OEM contracts can erode competitive advantage and expose downstream manufacturing partners. Regulatory data leaks may trigger compliance reviews from health authorities in every jurisdiction Synmosa serves. Taiwan's pharmaceutical sector has also been a recurring target for both financially motivated and state-aligned actors, raising the stakes for sector-wide threat sharing.

DragonForce has rapidly emerged as one of the more aggressive RaaS operations in 2025 and 2026, absorbing affiliates from disrupted groups and demonstrating consistent operational tempo against mid-market targets globally.

The Attack Technique

DragonForce affiliates have historically gained initial access through a mix of techniques, including exploitation of unpatched edge appliances (VPN concentrators, firewalls, and remote access gateways), credential stuffing against exposed services, phishing with credential harvesting, and abuse of compromised RDP endpoints. Post-compromise, affiliates typically deploy living-off-the-land tooling, Cobalt Strike or Sliver beacons, and legitimate remote management software for persistence and lateral movement before staging exfiltration through cloud storage providers or attacker-controlled infrastructure.

Specific intrusion vectors used against Synmosa have not been publicly disclosed, and the company has not yet issued a formal statement.

What Organizations Should Do

Pharmaceutical and life sciences organizations, particularly those operating in or partnered with Taiwan-based firms, should treat this incident as a prompt for the following actions:

1. Audit external attack surface. Inventory all internet-facing appliances, VPNs, and remote access tools, and verify patch status against known DragonForce-affiliated CVEs.
2. Enforce phishing-resistant MFA. Deploy hardware tokens or FIDO2 across all privileged accounts, VPN access, and email systems. SMS and push-based MFA are no longer sufficient.
3. Hunt for known DragonForce TTPs. Look for unauthorized RMM tools (AnyDesk, ScreenConnect, Atera), suspicious PowerShell execution, and anomalous outbound transfers to cloud storage providers.
4. Segment OEM and partner network access. Limit lateral pathways between contract manufacturing environments and corporate IT to contain blast radius.
5. Validate offline backups. Confirm immutable, air-gapped backups exist for all R&D, regulatory, and operational systems, and rehearse restoration timelines.
6. Prepare third-party notification workflows. Pharmaceutical breaches frequently trigger contractual and regulatory notification obligations to partners, OEM clients, and health authorities. Have templates and legal review pathways ready.

Sources: Synmosa Biopharma Hit by Dragonforce Ransomware Attack - Volk News