On April 27, 2026, the DragonForce ransomware group claimed responsibility for a cyberattack against Wm. Sopko & Sons Co. (wmsopko.com), a major US-based supplier of Dumore automatic self-feeding drilling and threading equipment. The group has issued a public extortion threat, warning that exfiltrated data will be leaked unless a company representative opens negotiations through their designated channels. The claim was first surfaced via dark web monitoring by DeXpose.

What Happened

DragonForce listed Wm. Sopko & Sons Co. on its data leak site on April 27, 2026, accompanied by a sample of allegedly stolen files and a countdown threat. According to the actor's posting, the intrusion has progressed past the encryption and exfiltration stages, and the group is now in the public-pressure phase of its double-extortion playbook. The threat actor statement reads: "The full leak will be published soon, unless a company representative contacts us via the channels provided." As of publication, Wm. Sopko & Sons Co. has not issued a public statement confirming or denying the breach, and there is no indication that negotiations are underway.

What Was Taken

DragonForce has not published a full inventory of stolen data, but its standard tradecraft involves harvesting business-critical archives prior to encryption. For a precision-equipment distributor like Wm. Sopko & Sons, the likely exposure includes customer order records, distributor and dealer agreements, OEM technical documentation tied to the Dumore product line, financial and accounting files, employee HR records, and internal email archives. Given the company's role in the industrial supply chain, any leaked customer manifests could expose downstream manufacturers and machine shops to follow-on targeting. Sample files staged on the leak portal typically serve as proof-of-breach to validate the actor's claim.

Why It Matters

Wm. Sopko & Sons sits in a quiet but strategically important corner of the US industrial base, supplying specialized drilling and threading equipment to manufacturers, MRO operations, and toolrooms across multiple sectors. A successful compromise of a niche, mid-market industrial distributor creates ripple risk: customer lists become target lists, and technical drawings or service records can be weaponized for spear-phishing against downstream buyers. DragonForce has steadily expanded its victim count across manufacturing and industrial supply throughout 2025 and 2026, and this incident reinforces a broader pattern of ransomware crews prioritizing operationally critical, lightly defended SMB suppliers over hardened enterprise targets.

The Attack Technique

DragonForce operates as a ransomware-as-a-service (RaaS) affiliate program and does not rely on a single fixed initial-access vector. Affiliates have historically gained entry via exploitation of unpatched edge devices (VPN concentrators, firewalls, and remote management appliances), purchase of valid credentials from infostealer log markets, and phishing campaigns delivering loaders such as SocGholish or Pikabot. Once inside, affiliates typically abuse legitimate tools (AnyDesk, RDP, PsExec, Cobalt Strike) for lateral movement, exfiltrate data via Rclone or MEGA before deploying the locker payload, and disable backup and EDR tooling prior to encryption. The specific intrusion vector used against Wm. Sopko & Sons has not been disclosed.

What Organizations Should Do

Sources: DragonForce Ransomware Attack on Wm. Sopko & Sons Co. - DeXpose