Ransomware Group: DRAGONFORCE

VICTIM NAME: FTCS Forage

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the DRAGONFORCE Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

FTCS Forage, a France-based civil engineering construction firm with an estimated 100–249 employees and annual revenue in the 5–10 million range, is listed as a ransomware victim on a leak page published on September 26, 2025. The page states that attackers claim to have accessed and exfiltrated sensitive data described as client data, accounting records, and internal documentation. The incident is framed as a data leak rather than an encryption event, aligning with the data-exfiltration narrative common to ransomware campaigns. The post is associated with the dragonforce group in the metadata, and it notes that a claim URL is present on the page, though no ransom amount is provided in the accessible data.

The leak page describes FTCS Forage as a France-based company operating in the civil engineering construction sector. There are no visible screenshots or images on the page, and no downloads or data dumps are listed in the provided data. The post date, inferred from the key_date field, is September 26, 2025. The page emphasizes the exfiltration of client data, accounting records, and internal documentation, suggesting a potentially serious impact on operations, even though a specific ransom demand is not disclosed in the available information. The presence of a claim URL indicates the attackers are offering information or access as part of their extortion tactic.