On May 25, 2026, the DragonForce ransomware group claimed responsibility for a cyberattack against Xchange Technology Rentals (xtr-global.de), a German provider of IT and audiovisual equipment rental services. The group has threatened to publish stolen data unless the company enters negotiations, marking another high-profile extortion event in the European IT services sector.
What Happened
DragonForce listed Xchange Technology Rentals on its data leak site on May 25, 2026, publicly claiming compromise of the company's environment. According to the threat actor statement, "The full leak will be published unless Xchange Technology Rentals engages with us for negotiations." The listing follows DragonForce's standard double-extortion playbook: encrypt the victim's systems, exfiltrate sensitive data, and use the threat of public disclosure as leverage. The incident was tracked and reported by DeXpose, which monitors ransomware leak sites in near real time.
Xchange Technology Rentals operates across Germany as a rental specialist for enterprise IT and AV hardware, supporting events, broadcast, corporate, and project-based deployments. A successful intrusion into this type of business carries downstream risk for every client whose equipment, credentials, or project documentation may have traversed the provider's systems.
What Was Taken
DragonForce has not yet published the full data set, but the group's threat language indicates a substantive exfiltration prior to encryption. Based on the victim's business model, the data likely at risk includes:
- Customer contracts, rental agreements, and shipping logistics for IT and AV equipment
- Corporate and event client lists, including potentially high-profile broadcast and enterprise customers
- Employee records, payroll, and internal HR documentation
- Financial records, invoicing data, and banking details
- Network configuration data, asset inventories, and credentials for managed rental devices
Until the leak materializes, exact volume and document categories remain unconfirmed. DragonForce typically stages partial proof samples before releasing complete archives.
Why It Matters
The IT and AV rental sector sits at an under-appreciated intersection of supply chain risk. Rental providers hold privileged inventory data, customer technical contacts, and in many cases pre-configured devices destined for sensitive corporate or government events. A compromise here is rarely contained to the rental firm itself, as leaked client lists and event schedules enable downstream targeting, social engineering, and physical-security reconnaissance.
For German and broader EU defenders, the listing reinforces DragonForce's continued operational tempo against mid-market European businesses. The group has shown willingness to follow through on leaks when ransom negotiations stall, meaning customers and partners of Xchange Technology Rentals should be preparing for potential third-party data exposure now, not after publication.
The Attack Technique
DragonForce has not disclosed initial access details for this intrusion, and no public technical indicators have been released at time of writing. The group's historical tradecraft, however, is consistent and includes:
- Exploitation of unpatched perimeter appliances, including VPN and remote access gateways
- Use of valid credentials sourced from infostealer logs and dark web marketplaces
- Phishing for initial foothold, followed by living-off-the-land lateral movement
- Deployment of affiliate-built lockers under the DragonForce ransomware-as-a-service model
- Staged exfiltration to cloud storage prior to encryption to support double extortion
Defenders should assume any of these vectors until forensic detail is released.
What Organizations Should Do
- Hunt for DragonForce indicators across endpoint and network telemetry, prioritizing anomalous archive creation, rclone or MEGA traffic, and unusual RDP or VPN logins.
- Validate that backups are offline, immutable, and recently restore-tested, since DragonForce affiliates target backup repositories before detonation.
- Enforce phishing-resistant multi-factor authentication on all remote access, email, and privileged administrative paths.
- Monitor infostealer log marketplaces and dark web channels for credentials tied to corporate domains, especially for staff at IT, AV, and rental supply chain partners.
- Review third-party and supplier exposure if your organization has rented equipment or shared technical contact data with Xchange Technology Rentals, and rotate any shared credentials.
- Engage qualified incident response counsel and forensics before any direct communication with the threat actor, and report the incident to BSI and relevant data protection authorities as required under German and EU law.
Sources: DragonForce Ransomware Attack on Xchange Technology Rentals - DeXpose