Salford City College DragonForce Exfiltrates 256GB Including Mental Health Records

• .What: Ransomware attack with 256.92 GB data exfiltration from a major UK further education college.
• .Who: Salford City College Group - five campuses across Greater Manchester; ~8,981 learners (4,480 aged 16-18, 3,057 adults, 1,444 apprentices).
• .How: Attack vector unconfirmed. DragonForce affiliates typically exploit phishing, unpatched public-facing applications, or stolen VPN/RDP credentials.
• .Data: Confidential mental health assessment forms, spreadsheets containing personal information, internal administration and operational documents (claimed by threat actor; unverified by institution).
• .Actor: DragonForce (RaaS cartel - 80% affiliate commission). Also listed by Qilin on March 10 under cartel alliance.
• .Impact: IT systems disrupted across the college group; 256.92 GB exfiltrated; publication deadline of 10-11 days.

On March 6, 2026, threat intelligence platforms FalconFeeds and Comparitech identified a new listing on the DragonForce ransomware group's Tor-based leak site: salfordcc.ac.uk - Salford City College Group.

The listing claimed exfiltration of 256.92 GB of organizational data and included a leak screenshot as proof of access.

DragonForce set a publication deadline of 10-11 days, threatening to release the stolen data unless a college representative made contact via their negotiation portal.

Salford City College Group is a family of five colleges formed through a 1 January 2009 merger of Pendleton College, Eccles College, and Salford College (which encompassed the Worsley campus, Future Skills, and City Skills sites).

The group serves approximately 8,981 learners across Greater Manchester, including 4,480 students aged 16-18, 3,057 adult learners, and 1,444 apprentices. The college was subject to an Ofsted monitoring visit as recently as February 27-28, 2025.

Comparitech confirmed the college was experiencing an "IT disruption" at the time of listing, though the institution did not publicly attribute the disruption to a ransomware attack. No official statement from the college has been identified confirming or denying the breach.

Four days later, on March 10, 2026, the Qilin ransomware group independently listed Salford City College on its own leak site with the same estimated attack date of March 6. The dual-listing is consistent with the DragonForce-Qilin-LockBit cartel alliance announced in Q3 2025, in which the groups agreed to share infrastructure, tools, and victim data.

Under DragonForce's white-label model, a single affiliate can deploy ransomware under multiple brands - meaning the same intrusion may be listed by both groups to maximize pressure on the victim.

DragonForce emerged in late 2023, with its first data leak site victim posted on December 6, 2023, using payloads built on the leaked LockBit 3.0 builder. " The exact relationship between the two entities remains unresolved.

DragonForce has since evolved into one of the most aggressive ransomware cartels in operation. live tracks 438), with an estimated 26 in the United Kingdom alone.

Activity peaked at 35 victims in December 2025. The group's affiliate program, launched June 26, 2024, offers 80% of ransom proceeds and recruits through the RAMP underground forum.

The group operates two ransomware variants: the original LockBit 3.0-based encryptor using AES encryption, and a more advanced Conti v3-derived variant using ChaCha8 encryption with BYOVD (Bring Your Own Vulnerable Driver) capability to disable EDR/XDR processes using Truesight.sys and RentDrv.sys drivers.

Post-exploitation tooling includes Cobalt Strike for command and control, SystemBC for persistence, and Mimikatz for credential harvesting. Data exfiltration has been observed over SSH (port 22) to Russian-hosted infrastructure (Proton66 OOO, AS198953).

On March 19, 2025, DragonForce announced its transition from a standard RaaS operation to a ransomware "cartel," offering affiliates white-label capability to deploy ransomware under their own brand while using DragonForce's infrastructure.

The group aggressively consolidated power: in March 2025, it defaced the BlackLock ransomware group's leak site by exploiting an LFI vulnerability and absorbed its affiliates. When RansomHub went dark on April 1, 2025, DragonForce claimed it had joined the cartel.

DragonForce's highest-profile attacks came in April-May 2025, when Scattered Spider served as the initial access broker for DragonForce ransomware deployments against Marks and Spencer, Co-op, and Harrods.

The M&S attack alone cost approximately GBP 300 million in lost profit, with online sales suspended for nearly seven weeks.

The UK National Crime Agency arrested four suspects in July 2025 on suspicion of Computer Misuse Act violations, blackmail, money laundering, and organized crime participation.

In Q3 2025, DragonForce announced a formal cartel alliance with Qilin and LockBit, stating on dark web forums: "Create equal competition conditions, no conflicts and no public insults...

" This alliance directly explains the dual-listing of Salford City College by both DragonForce and Qilin.

DragonForce claims exfiltration of 256.92 GB from Salford City College, including:

Confidential mental health assessment forms - these constitute special category data under UK GDPR Article 9 (health data) and relate to some of the most vulnerable individuals in the college's care.

Mental health records for students aged 16-18 carry additional protections under UK GDPR Recital 38 (special protection of children's personal data).

Unlike passwords, mental health records cannot be changed - exposure causes irreversible harm to individuals' privacy and wellbeing.

Spreadsheets containing personal information - likely student enrollment records, staff HR files, contact details, and potentially financial information. For 16-18 year-old students, this constitutes children's data under UK GDPR.

Internal administration and operational documents - institutional governance, financial records, operational plans, and potentially safeguarding documentation.

The full scope of the exposed data remains unverified by the college.

However, further education colleges typically hold: student enrollment records (names, dates of birth, addresses, National Insurance numbers), staff personnel files (salary data, disciplinary records, DBS check results), UCAS application data, special educational needs (SEN) records, safeguarding reports for vulnerable and at-risk students, and financial records including student bursary and loan information.

If safeguarding records for vulnerable minors are among the 256.92 GB, the breach crosses from a data protection failure into a child safety crisis.

The specific attack vector against Salford City College has not been disclosed. Based on DragonForce's documented TTPs and the UK education sector's known vulnerabilities, the following failure chain is assessed with high confidence:

1. Likely initial access via stolen credentials or phishing. DragonForce affiliates gain initial access through phishing, exploitation of public-facing applications, or compromised VPN/RDP credentials.

UK further education colleges are particularly vulnerable: 97% of those reporting breaches experienced phishing attacks, and academic environments prioritize accessibility over restrictive access controls.

2. Probable lack of MFA on remote access. Only 37% of UK further education colleges have dedicated cybersecurity staff (Jisc). MFA deployment on VPN gateways, email, and administrative portals is inconsistent across the sector.

If MFA was not enforced on Microsoft 365 accounts, a single compromised credential provides domain-wide access.

3. Insufficient network segmentation. A 256.92 GB exfiltration spanning mental health records, personal information, and administrative documents indicates the attacker accessed multiple data repositories across different functional areas.

Properly segmented networks would isolate student records, safeguarding data, HR systems, and administrative files into separate security zones, limiting lateral movement and exfiltration scope.

4. No effective data loss prevention. Exfiltrating 256.92 GB from an educational institution requires sustained outbound data transfer over hours or days.

The absence of DLP monitoring, outbound traffic analysis, or anomaly detection allowed this volume of data to leave the network undetected.

5. Probable inadequate endpoint detection. DragonForce's Conti variant uses BYOVD to disable EDR/XDR processes via Truesight.sys and RentDrv.sys. If the college had endpoint detection, the BYOVD technique bypassed it.

If they lacked EDR entirely - as many FE colleges do - the attacker faced no resistance at the endpoint level.

Threat Actor:

• .DragonForce (RaaS cartel, 80% affiliate commission)
• .Dual-listed by Qilin (DragonForce-Qilin-LockBit cartel, Q3 2025)
• .~440 total victims, 26 UK victims

Exfiltration:

• .256.92 GB claimed by threat actor

DragonForce General TTPs:

• .Ransomware: LockBit 3.0-based (AES) and Conti v3-derived (ChaCha8) variants
• .BYOVD: Truesight.sys and RentDrv.sys to disable EDR
• .Post-exploitation: Cobalt Strike, SystemBC, Mimikatz
• .Exfiltration: SSH to Russian-hosted infrastructure (Proton66 OOO, AS198953)

• .UK GDPR Article 5(1)(f) - Integrity and confidentiality principle. The college failed to ensure appropriate security of personal data, resulting in unauthorized access and exfiltration of 256.92 GB. This is a foundational violation.

• .UK GDPR Article 9 - Special categories of personal data. Mental health assessment forms constitute health data, which requires "appropriate safeguards" including encryption, pseudonymization, and strict access controls. The exposure of such data to a ransomware group represents a categorical failure to protect special category data.

• .UK GDPR Article 32 - Security of processing. The college was required to implement "appropriate technical and organisational measures" including encryption, resilience of processing systems, regular testing, and ability to restore availability. The exfiltration of 256.92 GB indicates multiple failures against this article.

• .UK GDPR Article 33 - 72-hour notification to the ICO. The college is required to notify the Information Commissioner's Office within 72 hours of becoming aware of a personal data breach. Given the volume and sensitivity of the data (mental health records of minors), notification is mandatory.

• .UK GDPR Article 34 - Communication to data subjects. Where a breach is "likely to result in a high risk to the rights and freedoms of natural persons," the controller must communicate the breach to affected individuals "without undue delay." The exposure of mental health records of students aged 16-18 meets this threshold.

• .UK GDPR Recital 38 - Special protection of children's personal data. Children "merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned." Salford City College processes data for approximately 4,480 students aged 16-18 - this recital applies directly.

• .Data Protection Act 2018, Section 10 - Supplements UK GDPR with provisions for education and safeguarding data processing. A breach of this data undermines the statutory framework.

• .ICO enforcement context - The ICO has historically taken a lenient approach to public sector breaches. However, fines of up to GBP 17.5 million or 4% of annual global turnover remain available. For a further education college, the reputational and operational impact of an ICO investigation may exceed any financial penalty.

• .Safeguarding obligations - If data relating to vulnerable students or safeguarding cases was exposed, the college's Designated Safeguarding Lead and the local authority's LADO (Local Authority Designated Officer) must be notified. Ofsted may also need to be informed if safeguarding data exposure affects the college's ability to protect children and young people.

• .Computer Misuse Act 1990 - The unauthorized access to college systems constitutes offenses under Sections 1-3. The NCA's existing DragonForce investigation (four arrests in July 2025) may extend to this incident.

The following gaps exist in the public record for this incident:

1. Salford City College has not issued a public breach statement or confirmed the scope of the data exfiltration - the 256.92 GB figure and the claim of mental health records originate exclusively from DragonForce's leak site listing.

2. The attack vector has not been disclosed - the assessment of phishing, unpatched applications, or stolen VPN/RDP credentials is based on DragonForce's general TTPs, not incident-specific evidence.

3. Whether safeguarding records for vulnerable minors are among the exfiltrated data has not been confirmed, and the distinction between mental health assessment forms and formal safeguarding case files has not been established.

4. The relationship between the DragonForce and Qilin dual-listings - specifically whether this represents a single intrusion listed by two cartel partners or two independent compromises - has not been forensically determined.

5. The ICO has not publicly confirmed receipt of a breach notification from the college, and it is unknown whether the 72-hour Article 33 notification deadline was met.

6. As of late 2025, ReliaQuest reported it had "not observed attacks indicating active collaboration" between the DragonForce-Qilin-LockBit cartel members.

The dual-listing of Salford City College may represent among the first tangible evidence of operational collaboration under the alliance - or it may reflect independent use of shared infrastructure rather than coordinated action. This distinction has not been established.

7. Naomi Korn Associates (March 12, 2026) noted the impact on "staff, students, families and wider community" who "experienced limited access to key information and the fear of the consequences of personal data being disclosed" - suggesting broader community awareness than the college's "IT disruption" characterization implies.

No formal community notification has been identified.

8. No mainstream UK media outlet (BBC, Guardian, Manchester Evening News, FE Week) has published coverage of this incident.

For a breach allegedly involving children's mental health records, this absence of mainstream coverage is notable and may indicate either suppressed reporting, insufficient verification of the threat actor's claims, or lack of awareness.

1. Enforce multi-factor authentication on all remote access and cloud services.

Microsoft 365, VPN gateways, and administrative portals must require FIDO2 hardware security keys or, at minimum, authenticator app-based MFA. A single compromised password should never grant domain-wide access.

2. Segment student welfare data into isolated network zones.

Mental health assessment forms, safeguarding records, SEN data, and other sensitive student welfare information must reside in a dedicated, access-controlled network segment with separate authentication, logging, and encryption at rest.

This would have limited exfiltration to a fraction of the 256.92 GB.

3. Deploy managed endpoint detection and response. Only 37% of UK FE colleges have dedicated cybersecurity staff.

The college should have contracted a managed SOC service providing 24/7 EDR coverage, with specific detection rules for BYOVD techniques, Cobalt Strike beacons, and anomalous lateral movement.

4. Implement data loss prevention and outbound traffic monitoring. 256.92 GB of exfiltration should trigger automated alerts. Baseline outbound data volumes and alert on deviations.

Monitor SSH connections to unknown external IPs - DragonForce exfiltrates over SSH port 22. Block unauthorized cloud storage and file transfer services.

5. Maintain immutable, tested offline backups with separate credentials. Backups must be air-gapped or immutable (write-once-read-many), stored with separate authentication credentials not accessible from the domain, and tested for restoration quarterly.

DragonForce specifically targets backup infrastructure.

6. Establish an incident response retainer with an external IR provider. FE colleges lack internal IR capability.

A pre-negotiated retainer ensures immediate expert deployment when an attack is detected, including pre-built regulatory notification templates for ICO Article 33 compliance.

FalconFeeds, Comparitech, DailyDarkWeb, DeXpose, Ransomware.live, RedPacket Security, Netcrook, Breachsense, Naomi Korn Associates, SentinelOne, Group-IB, Trend Micro, LevelBlue, Acronis TRU, Darktrace, Picus Security, BleepingComputer, The Hacker News, Dark Reading, Computer Weekly, Infosecurity Magazine, Help Net Security, BlackFog, UK Gov Cyber Security Breaches Survey 2025, Jisc, NCSC, Ofsted