Full Report
IntroductionThis blog is a focused update on the latest updates to the Ransomware Tool Matrix (RTM) and the Ransomware Vulnerability Matrix (RVM) covering three groups that I have published profiles for to help defenders home in on the threats most relevant to them: TheGentlemen, DragonForce, and WarLock.Rather than write another broad ecosystem summary, the goal of this post is to introduce these profiles, briefly explain why each group matters right now, and give readers direct links to them so defenders can pivot straight into hunting, detection engineering, and patch prioritisation.For anyone new to the projects, please read the descriptions on GitHub or feel free to watch my talk explaining the project at BSides London.Why these three groups?Each of the three groups added in this update represents a different slice of the current ransomware ecosystem:TheGentlemenTheGentlemen is a newer operation that has matured quickly, with a large and varied toolkit that reflects how cross-pollinated the affiliate ecosystem has become. The recent internal chat leak gave researchers a rare look into their tradecraft, and the profiles capture both the tooling and the exploited CVEs that have been observed across multiple intrusions. TheGentlemen’s RTM profile is here and RVM profile is here.DragonForceDragonForce has continued to escalate throughout 2025 and into 2026, branching into MSP-focused attacks and standing up its own "cartel" model that other affiliates can plug into. Its exploitation of edge devices (Ivanti, Fortinet, SonicWall) and SimpleHelp RMM make it a high-priority threat for any organisation using such systems. DragonForce’s RTM profile is here and RVM profile is here.WarLockWarLock jumped onto everyone's radar after the ToolShell SharePoint zero-day exploitation campaign, and has since been linked to a string of edge-application exploits including SmarterMail, SolarWinds Web Help Desk, and Gladinet CentreStack. It is a strong example of a likely China-based operator that lives on zero-day exploitation of internet-facing software. WarLock’s RTM profile is here and RVM profile is here.Observations and TrendsA few themes are worth flagging across all three profiles:BYOVD is now standard, not novel. All three groups have been observed bringing vulnerable drivers to disable or blind EDR. TheGentlemen with ThrottleStop driver, DragonForce with the TrueSight and Hangzhou Shunwang drivers, and WarLock with Antiy, NsecSoft, Rising, and VMTools drivers. If your detection stack is not yet hunting on or blocking suspicious driver loads and known-bad driver hashes, that is a high-priority gap to close.Network edge devices and other internet-facing systems remain the front door to victim networks for these groups. Fortinet, Ivanti, SonicWall, SimpleHelp, Microsoft SharePoint, SmarterMail, SolarWinds Web Help Desk, and Gladinet CentreStack all appear across these three profiles. Patch prioritisation that focuses on internet-exposed appliances and admin tooling continues to give defenders a valuable return on effort.Legitimate tooling continues to blur the line. Velociraptor, Cloudflared, VSCode Tunnels, AnyDesk, MeshCentral, FreeRDP, PuTTY, OpenSSH, and a long list of legitimate cloud services are all being repurposed for ransomware operations. Defender should use these lists to begin baselining what should exist in their environment and start alerting on the rest.ConclusionMy recommendation for defenders remains the same as in previous updates: take the tools and CVEs from the RTM and RVM profiles and start threat hunting for their presence, writing detection rules to alert on certain behaviours, and blocking what is not expected or permitted in your environment. These three new profiles should make that easier to scope by group when you need to brief leadership, prioritise a hunt, or map your exposure to a specific campaign.Here's a few sites that can help with turning the threat intel in these new profiles into detections:- https://rulehound.com/rules- https://detection.fyi- https://www.snapattack.com/communityAs always, feedback and pull requests are very welcome on both repos. Thanks to everyone who has contributed reports, corrections, and ideas. These projects only stay useful because the community keeps feeding them one way or another.
Analysis Summary
This summary covers the three primary ransomware groups highlighted in the June 2026 update to the Ransomware Tool Matrix: **TheGentlemen**, **DragonForce**, and **WarLock**.
---
# Threat Actor: TheGentlemen
## Attribution & Identity
* **Identity:** A newer, rapidly maturing ransomware operation.
* **Associations:** Part of a highly cross-pollinated affiliate ecosystem; tradecraft was recently exposed via internal chat leaks.
## Activity Summary
* **Recent Campaigns:** Observed in multiple recent intrusions characterized by a diverse toolkit and exploitation of known CVEs.
## Tactics, Techniques & Procedures
* **Bring Your Own Vulnerable Driver (BYOVD):** Utilizes vulnerable drivers to disable or "blind" EDR solutions.
* **Initial Access:** Exploitation of internet-facing software and appliances.
* **Repurposing Legitimate Tools:** Uses admin and cloud tools to blend with normal network traffic.
## Targeting
* **Sectors:** General (Affiliate-driven).
* **Geography:** Global.
## Tools & Infrastructure
* **Vulnerable Drivers:** ThrottleStop driver.
* **Legitimate Tools:** Velociraptor, Cloudflared, VSCode Tunnels, AnyDesk, MeshCentral, FreeRDP, PuTTY, OpenSSH.
## Implications
* The transition from a "new" group to a "mature" operation indicates a high level of operational support and shared tradecraft within the ransomware ecosystem.
---
# Threat Actor: DragonForce
## Attribution & Identity
* **Identity:** An escalating ransomware threat active through 2025 and 2026.
* **Associations:** Operates under a "cartel" model, allowing other affiliates to plug into its infrastructure.
## Activity Summary
* **Recent Campaigns:** Significant expansion into MSP-focused (Managed Service Provider) attacks and exploitation of network edge devices.
## Tactics, Techniques & Procedures
* **BYOVD:** Specifically targeting EDR bypass using third-party drivers.
* **Edge Exploitation:** High focus on internet-exposed appliances.
* **RMM Exploitation:** Use of Remote Monitoring and Management tools for persistence and lateral movement.
## Targeting
* **Sectors:** Managed Service Providers (MSPs) and their downstream clients.
* **Victims:** Organizations utilizing specific edge technologies (Ivanti, Fortinet, SonicWall).
## Tools & Infrastructure
* **Vulnerable Drivers:** TrueSight and Hangzhou Shunwang drivers.
* **Software/Services:** SimpleHelp RMM.
* **Network Hardware:** Ivanti, Fortinet, and SonicWall edge devices.
## Implications
* Their "cartel" model and MSP focus increase their reach exponentially, making them a high-priority threat for service providers.
---
# Threat Actor: WarLock
## Attribution & Identity
* **Identity:** A likely China-based threat operator.
* **Associations:** Linked to sophisticated zero-day exploitation campaigns.
## Activity Summary
* **Recent Campaigns:** Rose to prominence following the "ToolShell" SharePoint zero-day campaign. Currently linked to a string of exploits against edge applications.
## Tactics, Techniques & Procedures
* **Zero-Day Exploitation:** Heavily reliant on exploiting unknown vulnerabilities in internet-facing software.
* **BYOVD:** Uses a wide variety of drivers to neutralize security software.
## Targeting
* **Sectors:** Organizations using internet-facing edge applications.
* **Geography:** Likely China-based origin; global targeting.
## Tools & Infrastructure
* **Targeted Applications:** Microsoft SharePoint (ToolShell), SmarterMail, SolarWinds Web Help Desk, and Gladinet CentreStack.
* **Vulnerable Drivers:** Antiy, NsecSoft, Rising, and VMTools drivers.
## Implications
* Unlike typical financially motivated actors, WarLock’s reliance on zero-days and specific origin (China) suggests a high level of sophistication and potentially different strategic objectives.
---
# Mitigations (Applicable to all three)
* **Driver Security:** Hunt for and block suspicious driver loads and known-bad driver hashes (BYOVD prevention).
* **Patch Management:** Prioritize patching of internet-exposed appliances (Fortinet, Ivanti, SonicWall) and administrative software (SharePoint, SolarWinds).
* **Living-off-the-Land (LotL) Monitoring:** Baseline the use of legitimate tools like AnyDesk, Cloudflared, and PuTTY; alert on anomalous usage or presence on unauthorized systems.
* **External Resources:** Utilize detection repositories such as:
* hxxps[://]rulehound[.]com/rules
* hxxps[://]detection[.]fyi
* hxxps[://]www[.]snapattack[.]com/community