Introduction

This blog is a focused update on the latest updates to the Ransomware Tool Matrix (RTM) and the Ransomware Vulnerability Matrix (RVM) covering three groups that I have published profiles for to help defenders home in on the threats most relevant to them: TheGentlemen, DragonForce, and WarLock.

Rather than write another broad ecosystem summary, the goal of this post is to introduce these profiles, briefly explain why each group matters right now, and give readers direct links to them so defenders can pivot straight into hunting, detection engineering, and patch prioritisation.

For anyone new to the projects, please read the descriptions on GitHub or feel free to watch my talk explaining the project at BSides London.

Why these three groups?

Each of the three groups added in this update represents a different slice of the current ransomware ecosystem:

TheGentlemen

TheGentlemen is a newer operation that has matured quickly, with a large and varied toolkit that reflects how cross-pollinated the affiliate ecosystem has become. The recent internal chat leak gave researchers a rare look into their tradecraft, and the profiles capture both the tooling and the exploited CVEs that have been observed across multiple intrusions. TheGentlemen’s RTM profile is here and RVM profile is here.

DragonForce

DragonForce has continued to escalate throughout 2025 and into 2026, branching into MSP-focused attacks and standing up its own "cartel" model that other affiliates can plug into. Its exploitation of edge devices (Ivanti, Fortinet, SonicWall) and SimpleHelp RMM make it a high-priority threat for any organisation using such systems. DragonForce’s RTM profile is here and RVM profile is here.

WarLock

WarLock jumped onto everyone's radar after the ToolShell SharePoint zero-day exploitation campaign, and has since been linked to a string of edge-application exploits including SmarterMail, SolarWinds Web Help Desk, and Gladinet CentreStack. It is a strong example of a likely China-based operator that lives on zero-day exploitation of internet-facing software. WarLock’s RTM profile is here and RVM profile is here.

Observations and Trends

A few themes are worth flagging across all three profiles:

• BYOVD is now standard, not novel. All three groups have been observed bringing vulnerable drivers to disable or blind EDR. TheGentlemen with ThrottleStop driver, DragonForce with the TrueSight and Hangzhou Shunwang drivers, and WarLock with Antiy, NsecSoft, Rising, and VMTools drivers. If your detection stack is not yet hunting on or blocking suspicious driver loads and known-bad driver hashes, that is a high-priority gap to close.
• Network edge devices and other internet-facing systems remain the front door to victim networks for these groups. Fortinet, Ivanti, SonicWall, SimpleHelp, Microsoft SharePoint, SmarterMail, SolarWinds Web Help Desk, and Gladinet CentreStack all appear across these three profiles. Patch prioritisation that focuses on internet-exposed appliances and admin tooling continues to give defenders a valuable return on effort.
• Legitimate tooling continues to blur the line. Velociraptor, Cloudflared, VSCode Tunnels, AnyDesk, MeshCentral, FreeRDP, PuTTY, OpenSSH, and a long list of legitimate cloud services are all being repurposed for ransomware operations. Defender should use these lists to begin baselining what should exist in their environment and start alerting on the rest.

Conclusion

My recommendation for defenders remains the same as in previous updates: take the tools and CVEs from the RTM and RVM profiles and start threat hunting for their presence, writing detection rules to alert on certain behaviours, and blocking what is not expected or permitted in your environment. These three new profiles should make that easier to scope by group when you need to brief leadership, prioritise a hunt, or map your exposure to a specific campaign.

Here's a few sites that can help with turning the threat intel in these new profiles into detections:

- https://rulehound.com/rules

- https://detection.fyi

- https://www.snapattack.com/community

As always, feedback and pull requests are very welcome on both repos. Thanks to everyone who has contributed reports, corrections, and ideas. These projects only stay useful because the community keeps feeding them one way or another.