REHA-ACTIV Ransomware Attack by DragonForce (June 2026)

Claim Summary

On June 5, 2026, the ransomware group DragonForce allegedly added REHA-ACTIV to their leak site, claiming to have compromised the German medical supply company. According to the threat actor, REHA-ACTIV has been supporting individuals with health limitations for over 30 years. The group has not disclosed the volume of data allegedly stolen, nor has it provided any samples or proof of exfiltration at this time. This claim has not been independently verified by Yazoul Security.

Threat Actor Profile

DragonForce is a relatively opaque ransomware group with an unknown total victim count. Their operational security is limited, and they have no publicly available research references. The group is known to employ a standard set of post-exploitation and reconnaissance tools, including:

• Mimikatz: For credential dumping from memory.
• Advanced IP Scanner: For network discovery and asset mapping.
• PingCastle: For Active Directory security auditing and privilege escalation.
• SoftPerfect NetScan: For network scanning and service enumeration.

These tools suggest DragonForce follows a common ransomware playbook: initial access (likely via phishing or RDP compromise), lateral movement, privilege escalation, and then data exfiltration before encryption. However, without a confirmed victim history, their credibility remains low. Ransomware groups with limited track records often exaggerate or fabricate claims to build reputation.

Alleged Data Exposure

DragonForce claims to have accessed REHA-ACTIV’s network, but has not specified the type or volume of data allegedly stolen. Given REHA-ACTIV’s role as a medical supply company, potential data categories could include:

• Patient health information (PHI) and medical records
• Insurance and billing details
• Employee personally identifiable information (PII)
• Supplier and logistics data
• Internal communications and operational documents

No data samples have been published, and the group has not set a deadline for release. This lack of evidence is a red flag - legitimate ransomware operations typically provide proof of access or data to pressure victims.

Potential Impact

If the claim is accurate, the impact on REHA-ACTIV and its stakeholders could be severe:

• Regulatory Risk: As a German healthcare entity, REHA-ACTIV may be subject to GDPR and the German Federal Office for Information Security (BSI) requirements. A data breach could result in fines up to 4% of annual global turnover.
• Operational Disruption: Ransomware encryption could disrupt medical supply chains, affecting patients who rely on timely delivery of health aids.
• Reputational Damage: Trust in a 30-year-old company could erode if patient data is exposed.
• Legal Liability: Affected individuals may pursue class-action lawsuits for mishandling of sensitive data.

However, given DragonForce’s unknown credibility, these impacts remain hypothetical until verified.

What to Watch For

• Leak Site Monitoring: Check if DragonForce posts data samples or a countdown timer. Absence of proof within 72 hours suggests a false claim.
• Official Statements: Monitor REHA-ACTIV’s website (www.reha-activ.de) and German regulatory filings for breach notifications.
• Dark Web Chatter: Look for discussions on Russian-language forums where DragonForce may attempt to sell or leak data.
• Detection Guidance: No YARA rules or detection signatures are publicly available for DragonForce. Organizations should monitor for the use of Mimikatz, Advanced IP Scanner, and PingCastle in their environments as indicators of potential DragonForce activity.

Disclaimer

This report is based solely on unverified claims made by the DragonForce ransomware group on their leak site. Yazoul Security has not independently confirmed the attack, the data theft, or the identity of the victim. Ransomware groups frequently fabricate or exaggerate claims to pressure victims into payment. All information should be treated as preliminary intelligence pending official confirmation from REHA-ACTIV or German authorities. Do not attempt to access or download any data referenced in this report.