Skip to content

Ransomware Group Gentlemen Extorts Spanish NATO Supplier Indra

Bottom line: NATO supplier Indra was compromised by the RaaS group Gentlemen; the company claims containment while extortionists threaten data leaks.

The Gentlemen ransomware gang has listed the Spanish defense and technology corporation Indra Group on its leak site and is demanding a nine-day negotiation period for extortion. Indra confirms an attack on a subsidiary but says it was contained locally.

The Gentlemen ransomware gang has listed the Spanish technology and defense corporation Indra Group on its leak site operated in the dark web. The attackers have set a nine-day deadline to begin negotiations; otherwise they threaten to publish stolen data. Indra confirmed to local media that a subsidiary was hit by a ransomware attack.

According to the company, the internal incident response team immediately activated security protocols for analysis and verification. The attack was limited to the affected area according to the corporation’s account; spread to other subsidiaries was ruled out. Indra emphasizes that the security and continuity of its services remained assured. A full security audit is still underway.

Indra, headquartered in Spain, ranks among Europe’s largest defense and aerospace companies and supplies security-critical systems to governments, militaries and critical infrastructure operators worldwide. The company is the first Spanish member of the NATO Cyber Defense Coalition. Its portfolio includes identity management, cybersecurity solutions for the energy and financial sectors, and air traffic management systems. In 2025, Indra acquired approximately 90 percent of Spanish satellite operator Hispasat. The corporation employs over 62,000 people worldwide and generates annual revenue of approximately five billion euros in more than 140 countries.

Gentlemen operates under the RaaS (Ransomware-as-a-Service) model and shares revenue with partners who provide the technical infrastructure for attacks. The gang emerged from a roughly 20-member faction called ArmCorp, which previously worked with the Qilin ransomware program. According to technical analysis by security firm Halcyon, the group split in July 2025 over a dispute involving unpaid commissions of approximately 48,000 US dollars. Shortly thereafter, the first malware samples from Gentlemen appeared, with the dark web leak site already firmly integrated. The countries most frequently targeted by the group are Thailand, the United States, France and Brazil.


Source: www.it-daily.net · Published July 2, 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.2.

Share on: