6 May 2026 Ransomware

DragonForce Ransomware Strikes Two Australian Businesses: What SMBs Must Do Now

In the space of one week in April 2026, ransomware group DragonForce claimed two Australian victims — gelato chain Gelatissimo and residential builder Champion Homes. Both organisations confirmed unauthorised access and notified the Office of the Australian Information Commissioner and the Australian Cyber Security Centre. For small and medium businesses across Australia, the pattern is clear: DragonForce is operating here, and the entry methods it relies on are largely preventable.

Disclosure: This post contains affiliate links. We only recommend tools we've researched and trust. If you purchase through our links, we may earn a commission at no extra cost to you.

Two Australian Businesses Hit by DragonForce Ransomware in April 2026

Gelatissimo is one of Australia's most recognisable artisanal gelato chains, with more than 61 stores across the country and a further 22 internationally since opening its first Sydney outlet in 2002. On 27 April 2026, the DragonForce ransomware group published a listing for Gelatissimo on its dark web leak site, claiming to have exfiltrated 352.42 gigabytes of data from the company's systems. Gelatissimo confirmed it had detected unauthorised access, immediately engaged cybersecurity experts to contain and investigate, and notified both the Office of the Australian Information Commissioner (OAIC) and the Australian Cyber Security Centre (ACSC), according to Cyber Daily, an Australian cybersecurity publication that independently tracked the incident.

The leaked sample files shared by DragonForce reportedly included employee records listing first and last names, gross earnings, paid leave, overtime, and the last four digits of tax file numbers, alongside a visa application document containing a passport number, phone number, email address, and home address. Franchise employees across Gelatissimo's national network may be among those affected.

Six days earlier, on 21 April 2026, DragonForce claimed a second Australian victim: Champion Homes, a Sydney-based residential builder. Champion Homes confirmed that customer data had been compromised and indicated it would contact affected customers directly. The Australian Computer Society's Information Age and multiple specialist cybersecurity publications independently corroborated both attacks.

DragonForce is a Ransomware-as-a-Service (RaaS) operation first observed in 2023. Under the RaaS model, the group's developers build and maintain the ransomware platform, while affiliates — essentially independent contractors — carry out the actual intrusions and deliver the payload. This structure allows DragonForce's attack activity to scale rapidly without the core team's direct involvement in every breach. Security analysts at Anvilogic have documented at least five DragonForce intrusions targeting organisations in Australia, placing the country among the group's more active geographic targets alongside the United States and United Kingdom.

Why Australian Businesses Are in DragonForce's Crosshairs

Australia presents an attractive target for ransomware affiliates for several compounding reasons. The country has a high concentration of SMBs operating in sectors — food service, retail, construction, and hospitality — that rely on connected point-of-sale systems, HR platforms, and remote access tools, while often investing less in formal security programs than enterprise organisations. DragonForce's affiliates exploit this gap deliberately.

The group uses a double-extortion model: the ransomware encrypts files and disrupts operations, while separately exfiltrated data is threatened for publication on the group's dark web leak site unless a ransom is paid. Even if a business has working backups and can restore operations without paying, the threat of publishing staff records, customer details, or commercial contracts creates separate pressure to negotiate.

Both April attacks followed a recognisable pattern in terms of data value. Gelatissimo, as a franchise operation, coordinates HR and payroll data centrally — exactly the kind of consolidated dataset that makes a single intrusion high-value to an extortion group. Champion Homes, as a residential builder, likely retains customer contracts, deposit records, and personal identification documents from the property settlement process — information with both financial and identity-fraud value to extortionists.

The timing is also notable. Australia's mandatory ransomware reporting regime, which came into effect in May 2025, requires businesses with annual turnovers above $3 million to report ransomware incidents to the government. This regime is intended to give the ACSC better visibility into the true frequency of attacks. Both Gelatissimo and Champion Homes appear to have complied with their reporting obligations — which is appropriate — but it also means attacks that might previously have been managed quietly are now surfacing publicly. Some of the apparent increase in Australian ransomware incidents reflects better reporting rather than purely higher attack volumes.

The broader trend, however, remains significant. The ACSC's Annual Cyber Threat Report documents ransomware as one of the highest-impact threat categories for Australian businesses, with financial losses from ransomware and cyber extortion events running into the hundreds of millions of dollars annually across the country.

How DragonForce Breaks In — The Technical Reality

DragonForce's intrusion chain has a practical implication for defenders: it does not depend on exotic zero-day vulnerabilities. Based on technical analysis published by Cyble and Trend Micro's threat intelligence teams, most DragonForce intrusions follow a repeatable sequence beginning with one of three documented initial access vectors.

Exposed Remote Desktop Protocol (RDP)

Public-facing Remote Desktop Protocol servers are a consistent initial access point for DragonForce affiliates. During intrusion investigations, analysts observed suspicious login activity on public-facing remote desktop servers using valid domain account credentials — credentials obtained via prior phishing campaigns or purchased from dark web credential markets. RDP running on TCP port 3389 without a VPN layer or network-level authentication allows any internet-connected attacker to attempt authentication directly. When credentials are already compromised, the only remaining barrier is the login prompt itself.

Phishing and Social Engineering

DragonForce affiliates have been linked to phone-based social engineering tactics similar to those associated with the Scattered Spider group, which collaborated with DragonForce during high-profile retail sector attacks in the United Kingdom. Attackers impersonate IT helpdesk staff, targeting employees who can provide authentication tokens or approve password resets. Spear-phishing emails are also used to harvest credentials, particularly targeting staff with access to HR systems, payroll platforms, or financial applications — precisely the categories of data subsequently exfiltrated from Gelatissimo.

Post-Access Escalation: BYOVD and Credential Harvesting

Once inside the network, DragonForce moves quickly to disable defences and maximise access. The group uses the Bring Your Own Vulnerable Driver (BYOVD) technique — loading a legitimate but known-vulnerable kernel driver to disable or tamper with endpoint detection software. Cobalt Strike beacons are then deployed across the network for lateral movement and persistent command-and-control. In several documented cases, attackers extracted the Windows Active Directory database (NTDS.dit), which contains hashed credentials for every domain account. Once cracked offline, those hashes allow the attacker to impersonate any user in the organisation, including domain administrators.

This sequence — exposed entry point, valid credentials, security-tool bypass, domain-level access — explains why these attacks produce such large data exfiltration volumes. By the time DragonForce begins encrypting files, the affiliate typically has had unfettered access for hours or days, with no active controls remaining to prevent data leaving the network.

What Australian Businesses Must Do This Week

The DragonForce attack chain, examined step by step, reveals a series of conditions that organisations can address. None of the initial access methods documented in Australian intrusions required a zero-day exploit. They required that an attacker found an open door — and most of those doors can be closed.

Eliminate direct internet exposure of RDP. Port 3389 should not be reachable from the public internet under any circumstances. Audit your firewall rules and confirm that RDP is inaccessible without first establishing an authenticated connection through a private channel. If your staff need remote access to office systems — a legitimate need for most SMBs — replace direct RDP exposure with encrypted tunnels. NordVPN provides a practical way for small businesses to eliminate this exposure: staff connect through an encrypted VPN tunnel before reaching internal systems, removing the public-facing RDP port from the attack surface entirely. Closing that exposure is the single highest-return security change most Australian SMBs can make against this class of threat, and it directly addresses the initial access vector documented in multiple DragonForce intrusions.

Enforce multi-factor authentication (MFA) on every remote access point. Even when credentials are stolen via phishing, MFA interrupts the authentication chain before the attacker gains access. An authenticator app is preferable to SMS-based MFA, which is susceptible to SIM-swap attacks — a technique associated with Scattered Spider affiliates operating in the same ecosystem as DragonForce.

Audit domain administrator accounts. Review who holds domain admin rights and remove permissions that are no longer active or necessary. DragonForce's BYOVD technique requires the ability to load kernel drivers — a capability that demands elevated privileges. Limiting those privileges limits the blast radius of any compromise that does occur.

Implement an immutable backup. The 3-2-1 rule remains a workable starting point: three copies of critical data, on two different media types, with one copy offsite. Critically, at least one copy should be write-protected or air-gapped so that ransomware cannot reach it even after achieving domain administrator access. Test your restore process regularly — a backup you've never tested is an assumption, not a control.

Know your reporting obligations in advance. If your business has an annual turnover above $3 million, a ransomware incident now triggers mandatory reporting requirements under Australian law. Knowing the process, and having an incident response contact ready, before an incident occurs means you're not working out your legal obligations while also managing an active breach.

Ransomware Reporting, Regulatory Obligations, and Layered Defence

For Gelatissimo and Champion Homes, the regulatory process is already in motion. Both notified the OAIC under the Notifiable Data Breaches (NDB) scheme, which requires notification to the Information Commissioner and to affected individuals whenever a data breach is likely to result in serious harm. The OAIC's expectation is notification "as soon as practicable" after identifying a qualifying breach; the ACSC additionally recommends notification within 72 hours for significant incidents involving personal information.

The nature of the data allegedly exfiltrated from Gelatissimo makes the individual harm potential concrete. Partial tax file numbers, passport numbers, home addresses, and salary details each carry meaningful identity-fraud risk. Affected employees face elevated exposure to targeted phishing attacks that reference specific personal details now in DragonForce's possession. Champion Homes customers face similar exposure depending on the contents of the compromised customer files.

At the organisational level, the ACSC's Essential Eight framework addresses several controls that are directly applicable to the DragonForce attack chain:

Application control: prevents unauthorised software — including the malicious kernel drivers used in BYOVD — from executing on workstations and servers.
Patch operating systems: keeps the operating system and drivers current, reducing the set of vulnerable drivers available for BYOVD exploitation. An unpatched OS leaves more usable drivers in an attacker's toolkit.
Multi-factor authentication: directly interrupts the credential-theft-to-RDP path that enables the majority of DragonForce's documented initial access events in Australia.

The ACSC recommends Australian organisations implement the Essential Eight at Maturity Level 2 as a baseline, with government entities targeting Level 3. For most SMBs, reaching Maturity Level 1 — implementing each of the eight controls in their most basic form — represents a material improvement over typical current practice and would meaningfully complicate the attack chains used by groups such as DragonForce.

If your business is targeted, the ACSC's guidance is to refrain from paying the ransom. Payment does not guarantee data recovery, does not prevent future targeting by the same group, and directly funds further criminal operations. Report the incident via the ACSC's ReportCyber portal and engage a qualified incident response firm promptly. Preserve logs and forensic artefacts before attempting to restore systems — these may assist law enforcement investigation and help establish the full scope of the intrusion.

DragonForce's success in Australia during April 2026 reflects a pattern that security practitioners recognise: attacks succeed at scale against organisations that have not implemented baseline controls. The controls that would have complicated both of these intrusions — eliminating public RDP exposure, enforcing MFA, limiting administrator privileges, maintaining air-gapped backups — are not expensive or technically complex. They are documented, available, and within reach of any Australian business prepared to act on them before an incident, rather than in the immediate aftermath of one.