Incident contained, investigation ongoing

Ransomware Group “Gentlemen” Extorts NATO Supplier Indra Group

Ransomware, Gentlemen ransomware, NATO cybersecurity, Gentlemen ransomware attack on Indra Group, Indra Group subsidiary cyberattack confirmed, Indra Group ransomware, Indra Group cyberattack, Indra Group, Cyberattack
Facebook
X
LinkedIn
Reddit
WhatsApp
Source: sashk0 / Shutterstock.co

The ransomware gang known as Gentlemen has claimed responsibility for an extortion attempt targeting Spanish defense and technology company Indra Group. The company has confirmed a cybersecurity incident affecting one of its subsidiaries.

According to the attackers, Indra Group has been listed on their darknet leak site, where they issued a nine day ultimatum demanding negotiations. If the company fails to engage, the group threatens to publish allegedly stolen data. Local media reports confirm that Indra has acknowledged a ransomware attack on a subsidiary unit.

Ad

Indra Group stated that its internal incident response team immediately activated cybersecurity protocols for analysis and containment. The company says the attack was quickly isolated, preventing any lateral movement across other subsidiaries.

In its official statement, Indra emphasized that it has “guaranteed the security and continuity of its services.” A full investigation is ongoing, along with a broader review of its security procedures.

Indra Group: key NATO-aligned defense contractor

Indra Group is one of Europe’s largest defense, aerospace, and technology companies. The firm provides mission critical systems to governments, armed forces, and critical infrastructure operators worldwide.

Ad

Indra is also the first Spanish company to join NATO’s cyber defense coalition, reinforcing its position within allied cybersecurity initiatives. The company’s portfolio includes identity management systems, cybersecurity solutions for sectors such as energy and finance, as well as technologies for global air traffic management.

In 2025, Indra expanded its space operations through the acquisition of approximately 90 percent of Spanish satellite operator Hispasat. The company employs more than 62,000 people worldwide and generates annual revenue of around five billion euros across more than 140 countries.

Inside the “Gentlemen” ransomware operation

The Gentlemen group operates under a ransomware-as-a-service (RaaS) model, where core operators develop malware and share profits with affiliated cybercriminals who deploy the attacks.

The group originated from a roughly 20 member faction called ArmCorp, previously associated with the Qilin ransomware ecosystem. According to analysis by cybersecurity firm Halcyon, the split occurred in July 2025 following a dispute over unpaid commissions totaling around $48,000 USD.

Shortly after the breakaway, early malware samples linked to Gentlemen emerged, already containing hardcoded references to their darknet leak site. Security researchers report that the group has primarily targeted organizations in Thailand, the United States, France, and Brazil.

(lb)

Ad

Weitere Artikel