The DragonForce ransomware group has added WG Neukölln eG, a Berlin-based housing cooperative serving the Neukölln district, to its dark web leak site. The listing, surfaced on May 27, 2026, marks the latest in a string of DragonForce postings and extends the group's reach into Germany's social housing sector. Specific data volumes, ransom demands, and intrusion vectors have not yet been disclosed by the operators.
What Happened
DragonForce published WG Neukölln eG on its Tor-based victim disclosure portal alongside multiple other named targets in the same posting cycle. The cooperative manages residential properties and provides social services to tenants across one of Berlin's most densely populated districts, making it a custodian of substantial personal and financial records. As of publication, WG Neukölln eG has not issued a public statement confirming or denying the intrusion, and no proof-of-compromise samples have been observed on the leak site. The listing follows DragonForce's standard playbook: name the victim, withhold technical details, and apply pressure through public exposure ahead of any sample drop.
What Was Taken
The scope of exfiltration is currently unconfirmed. Based on the cooperative's operational profile, the at-risk data set likely includes tenant personally identifiable information (full names, addresses, dates of birth, national ID and tax numbers), rental agreements and payment histories, SEPA banking details for rent collection, internal correspondence, vendor and contractor records, and employee HR data. German housing cooperatives also typically hold cooperative membership share records, which combine financial and identity data in a single document set. Until DragonForce publishes proof packs or a full data dump, the precise volume remains speculative.
Why It Matters
Housing cooperatives sit at an awkward intersection: they hold bank-grade financial data and government-grade identity records, but generally operate on thin IT budgets closer to small nonprofits. A successful encryption or extortion event can paralyze rent collection, repair dispatch, and tenant communications simultaneously, while exposing data subject to GDPR's strictest enforcement regime. For tenants, leaked records create durable downstream risk including identity fraud, targeted phishing, and rental scams. For defenders across the broader German Wohnungswirtschaft sector, this incident is another data point in a trend of ransomware crews systematically working through housing providers, municipalities, and adjacent social-service entities where downtime tolerance is low and public scrutiny is high.
The Attack Technique
DragonForce, a ransomware-as-a-service operation that absorbed code lineage and affiliates from the LockBit and Conti ecosystems, does not rely on a single intrusion technique. Recent affiliate activity attributed to the brand has leaned on compromised VPN and remote access appliances, phishing payloads delivering loaders such as SocGholish and PikaBot, exploitation of unpatched edge devices, and abuse of valid accounts purchased from initial access brokers. Post-intrusion tradecraft commonly includes deployment of Cobalt Strike or Sliver beacons, Active Directory enumeration with tools like AdFind and SharpHound, lateral movement via RDP and SMB, and exfiltration through Rclone or MEGA before encryption is launched. No specific vector has been attributed to the WG Neukölln eG case yet.
What Organizations Should Do
- Harden external attack surface: Audit all internet-exposed remote access, VPN, and management interfaces; apply vendor patches for known DragonForce affiliate targets including Ivanti, Fortinet, Citrix, and SonicWall appliances; enforce MFA on every remote pathway without exception.
- Hunt for precursor activity: Search SIEM and EDR telemetry for SocGholish, PikaBot, Cobalt Strike, and Rclone indicators; review for anomalous AdFind, SharpHound, and PsExec usage; flag bulk outbound traffic to MEGA, Backblaze, and unfamiliar cloud storage endpoints.
- Segment and protect tenant data stores: Isolate rent collection, HR, and tenant management systems on separate VLANs with strict east-west firewall rules; encrypt PII at rest; restrict service-account permissions and rotate credentials.
- Validate backups against ransomware scenarios: Confirm immutable or offline backup copies exist for tenant records and financial systems; perform a tabletop restore of critical workloads end to end, not just file recovery.
- Prepare a GDPR-compliant response playbook: Pre-draft notification templates for the Berlin Beauftragte für Datenschutz und Informationsfreiheit, ensure the 72-hour breach notification clock is understood by the response team, and identify outside counsel and DFIR retainers in advance.
- Train staff on extortion-era phishing: Reinforce caution on invoice fraud, fake Microsoft 365 login prompts, and HR-themed lures, which remain the most common doorways for affiliates feeding access to RaaS brands like DragonForce.
Sources: 🏴☠️ Dragonforce has just published a new victim : WG Neukölln | Today In Cyber