
PEAR Threat Profile: Redefining Ransomware Through Data Exposure
Executive Summary
PEAR (Pure Extraction and Ransom) is an emerging data-extortion threat group that operates using an exfiltration-first model, focusing on stealing and publicly exposing sensitive data rather than deploying encryption-based ransomware. Active since June 2025, the group has rapidly scaled operations to over 92 victims across 9 countries, with a strong concentration in the United States and a diverse cross-sector footprint led by Business Services and Healthcare. Its operations rely on externally obtained access, large-scale data exfiltration, and direct victim engagement through manual communication channels, supported by a TOR-based leak ecosystem and distributed file servers for data publication. The group employs a multi-layer extortion strategy—including direct pressure, double extortion, and staged data leaks—indicating a structured yet evolving operational model centered on data monetization and exposure rather than system disruption.
Threat Profile

Group Overview
PEAR (Pure Extraction and Ransom) is a data-extortion-focused ransomware group that operates using:
- Data exfiltration as the primary attack objective
- Direct extortion against victims
- Double extortion using stolen data
- Free leak campaigns to increase pressure
The group claims to be a private, disciplined team with no affiliation to other threat actors. It positions itself as a security-focused organization, stating that its goal is to expose vulnerabilities and encourage better data protection practices.
This narrative is reinforced in its public messaging, where it frames attacks as a consequence of poor security hygiene rather than malicious intent.
Operational Characteristics
PEAR follows a non-traditional ransomware model centered on data theft and exposure rather than encryption.

Victimology
Overview
|
Metric |
Value |
|
Total Victims |
92 + |
|
Countries Affected |
9 |
|
Active Since |
June 2025 |
|
Leak Site |
Active |
PEAR demonstrates a high-volume victim base, with activity scaling rapidly across multiple organizations over a relatively short time period. The volume of observed victims indicates sustained operational activity rather than isolated campaigns, with continuous additions to its leak platform reflecting an active and ongoing targeting cycle.
Sector distribution reveals a diverse cross-industry footprint, including healthcare, business services, financial services, construction, education, logistics, and public sector entities. This spread indicates that PEAR does not limit operations to specific industries, instead targeting a wide range of organizations where sensitive or operational data can be extracted and leveraged.
At an organizational level, the victim set includes both small-to-mid-sized entities and larger institutions, such as universities and public-facing organizations. This variation suggests that targeting is not constrained by company size, but rather influenced by the availability of accessible systems and the potential value of extracted data, as reflected in repeated incidents across similar operational environments.
Geographical Distribution
PEAR exhibits a highly concentrated yet expanding victim footprint, with a strong dominance in the United States and limited but notable activity across multiple international regions. Unlike mature ransomware groups that demonstrate balanced global targeting, PEAR’s distribution reflects a skewed and opportunistic pattern, where a single region accounts for the majority of observed activity.

The United States represents the primary concentration of victims, significantly outweighing all other regions. Additional activity has been observed across countries such as Canada, Australia, New Zealand, Germany, Egypt, and Jamaica, Norway, Switzerland each contributing a comparatively small number of incidents. This distribution indicates that while the group is not geographically restricted, its operations remain heavily centered on U.S.-based organizations.
From a regional perspective, North America dominates overall activity, driven by repeated targeting within the United States. Other regions — including Europe and Asia-Pacific — display fragmented and low-volume incidents, with no evidence of sustained regional campaigns or clustering. This pattern highlights a clear imbalance in geographic targeting, where activity outside the primary region remains limited and sporadic.
Sector Targeting

PEAR’s sector distribution reflects a partially concentrated targeting pattern, with a strong emphasis on Business Services (34.8%), making it the most frequently targeted sector. This indicates a consistent focus on organizations involved in operational, administrative, and advisory functions, where internal and client-related data can be leveraged for extortion. Healthcare (19.6%) follows as the second-largest segment, highlighting continued exposure of environments handling sensitive medical and personal data.
Financial Services (7.6%) and a group of mid-tier sectors — including Technology (6.5%), Manufacturing (6.5%), and Public Sector (6.5%) — show steady but secondary levels of activity. These sectors represent a mix of economically sensitive, infrastructure-related, and data-dependent environments, indicating that targeting extends beyond a single industry focus.
Lower-frequency sectors such as Consumer Services (5.4%), Construction (3.3%), Education (3.3%), Hospitality & Tourism (3.3%), Transportation & Logistics (2.2%), and Agriculture & Food Production (1.1%) demonstrate broader but limited reach. This distribution highlights a skewed sector spread, where a few dominant industries account for the majority of victims while remaining sectors show fragmented and minimal activity.
Technical Analysis
Initial Access and Foothold:
- Available intelligence does not identify a consistent or repeatable initial access vector across observed PEAR incidents. The group’s activity suggests the use of externally obtained access, potentially through compromised credentials or exposed services, rather than reliance on a single intrusion method.
- There is no confirmed evidence of vulnerability exploitation or advanced intrusion techniques. Observations indicate that access is established through commonly available entry points, with no indication of specialized or custom-developed access mechanisms.
Privilege Escalation, Defense Evasion, and Persistence:
- There is limited visibility into privilege escalation, persistence, and defense evasion techniques used by PEAR. No consistent tools, exploits, or repeatable mechanisms have been identified across observed incidents.
- Available data suggests that operations are conducted using existing access privileges and standard system capabilities, without introducing identifiable malware or complex persistence structures. These stages remain largely unobserved and lack sufficient technical detail for further classification.
Lateral Movement, Exfiltration, and Encryption:
Lateral Movement
- Lateral movement techniques are not explicitly documented. Internal access expansion is likely performed using available credentials and standard administrative access methods, though no consistent pattern or tooling has been confirmed.
Attack Sequence
- Initial access through externally obtained or exposed access
- Execution using system-level utilities or commands
- Internal reconnaissance to identify relevant data
- Data collection and staging within the environment
- Data exfiltration to attacker-controlled infrastructure
- Extortion through direct communication and data exposure
Data Exfiltration
- Data exfiltration is the central operational activity. The group focuses on extracting large volumes of data, which are later referenced on its leak platform with associated size indicators (GB/TB scale).
Encryption
- There is no observed use of encryption. The group explicitly states that it does not encrypt victim systems and relies entirely on data theft and exposure for extortion.
Command and Control (C2):
- Available intelligence indicates the use of attacker-controlled infrastructure for handling stolen data and supporting operational activity. This implies the presence of command-and-control communication, likely conducted through standard web-based channels.
- Specific technical characteristics — including protocols, beaconing behavior, or infrastructure patterns — remain unconfirmed, with no identifiable or unique C2 framework observed.
Communication and Platform Analysis
- PEAR uses a direct and manual communication model, primarily through email and TOX messaging. Responses are typically provided within a short timeframe, indicating active human involvement rather than automated systems.
- Victims are required to initiate and maintain communication to prevent data exposure, with interactions managed continuously throughout the engagement. This reflects a controlled, manually operated workflow, without reliance on dedicated negotiation portals or automated platforms.
Negotiation Behavior
- PEAR follows a structured negotiation process driven by strict timelines and staged escalation. Deadlines are enforced for both agreement and payment, with clearly defined consequences, including public data exposure and further escalation actions.
- The group validates its claims by sharing selected files and providing access to stolen data samples, reinforcing credibility while maintaining pressure. This is combined with persistent follow-ups, urgency-driven messaging, and limited pricing flexibility through controlled discounts.
- In addition, PEAR applies multi-layer pressure tactics, including threats of data leaks, reputational impact, regulatory exposure, and outreach to third parties. The negotiation remains fully manual, with the group maintaining control of the process and treating delays as non-cooperation.
Leak Site and Infrastructure Analysis:
- PEAR operates a TOR-based leak ecosystem supported by multiple file-hosting servers used to store and distribute stolen data. The leak site presents structured victim entries, including organization identifiers and associated data volumes.
- The platform distinguishes between different exposure stages, such as publicly listed entries and datasets made available for download. Multiple file server links are used to host stolen data, enabling access through separate infrastructure endpoints.
The ecosystem includes:
-
Leak Site (TOR): Displays victim listings and exposure status
-
File Servers (DLS): Host stolen datasets across multiple links
-
Communication Channels: Email and TOX used for negotiation
Key observations include:
- Multiple TOR-based file server links associated with data hosting
- Public listing of victims with visible data volume indicators
- Separation between listing interface and data hosting endpoints
- Direct publication model where data is made accessible through provided links
Overall, PEAR’s infrastructure reflects a data exposure model centered on direct publication and distribution, where stolen datasets are made available through its own controlled environment and leveraged for extortion.
MITRE ATT&CK TTPs
|
Tactic |
Technique ID |
Technique Name |
|
Initial Access |
T1078.002 |
Valid Accounts: Domain Accounts |
|
Initial Access |
T1133 |
External Remote Services |
|
Initial Access |
T1566 |
Phishing |
|
Execution |
T1059.001 |
Command and Scripting Interpreter: PowerShell |
|
Execution |
T1059.003 |
Command and Scripting Interpreter: Windows Command Shell |
|
Execution |
T1204.002 |
User Execution: Malicious File |
|
Execution |
T1204.004 |
User Execution: Malicious Copy and Paste |
|
Persistence |
T1547.001 |
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
|
Stealth |
T1027.013 |
Obfuscated Files or Information: Encrypted/Encoded File |
|
Stealth |
T1055.001 |
Process Injection: DLL Injection |
|
Credential Access |
T1056.001 |
Input Capture: Keylogging |
|
Credential Access |
T1555.003 |
Credentials from Password Stores: Credentials from Web Browsers |
|
Discovery |
T1083 |
File and Directory Discovery |
|
Lateral Movement |
T1021.002 |
Remote Services: SMB/Windows Admin Shares |
|
Collection |
T1005 |
Data from Local System |
|
Collection |
T1074.001 |
Data Staged: Local Data Staging |
|
Collection |
T1114 |
Email Collection |
|
Collection |
T1213 |
Data from Information Repositories |
|
Collection |
T1560.001 |
Archive Collected Data: Archive via Utility |
|
Command and Control |
T1071.001 |
Application Layer Protocol: Web Protocols |
|
Command and Control |
T1102.002 |
Web Service: Bidirectional Communication |
|
Command and Control |
T1090.003 |
Proxy: Multi-hop Proxy |
|
Exfiltration |
T1041 |
Exfiltration Over C2 Channel |
|
Exfiltration |
T1567.002 |
Exfiltration Over Web Service: Exfiltration to Cloud Storage |
|
Exfiltration |
T1567.004 |
Exfiltration Over Web Service: Exfiltration to Webhook |
|
Impact |
T1657 |
Financial Theft |
Indicators of Compromise (IOCs)
|
Type |
IOC Value |
|
TOR Leak Site |
hxxp://peargxn3oki34c4savcbcfqofjjwjnnyrlrbszfv6ujlx36mhrh57did[.]onion |
|
DLS File Server |
hxxp://csxilwnl7orv6rwfjen5ye3tefk5shjtr4tysuykgxjsyngpvoqrvbid[.]onion |
|
DLS File Server |
hxxp://etus2tmakckdlkyjpevoyciuao7er5fj3qm26aev3nch4fusptefiayd[.]onion |
|
DLS File Server |
hxxp://yxwomyfmexm3bfcuumnugrzwluol5qwsw6pmne7jklgmzthkp35l2jqd[.]onion |
|
DLS File Server |
hxxp://e7a6zgqfijn2ko6lzkz53tysjpnf22fxj4h2f3saufrmsts5pbul5eid[.]onion |
|
|
pear@onionmail[.]org |
|
TOX ID |
457BB4E5DF0E650509322CA894758D925A568828090A3449D5AEEED30E9B8E18DDDFF71909ED |
Mitigations & Recommendations
1. Initial Access Hardening
- Enforce multi-factor authentication (MFA) across all external access points
- Restrict exposure of internet-facing services such as VPN, RDP, and remote access interfaces
- Continuously discover and monitor exposed assets, shadow IT, and external attack surface risks using CyberXTron ShadowSpot
- Monitor for compromised credentials and exposed identities using CyberXTron DarkFlash
2. Identity & Credential Protection
- Implement strict least-privilege access controls across all systems
- Monitor authentication patterns for anomalies, including unusual login locations or access times using XTron AI
- Enforce strong password policies and regular credential rotation to reduce credential reuse risk
3. Network Security & Lateral Movement Control
- Segment networks to isolate critical systems and sensitive data environments
- Monitor internal access behavior for signs of unauthorized lateral movement or privilege misuse
- Improve network visibility and investigation capabilities using CyberXTron MCP (Managed Cyber Platform)
4. Endpoint Protection & Threat Monitoring
- Deploy EDR/XDR solutions focused on behavioral detection rather than signature-based alerts
- Monitor command execution, scripting activity, and abnormal system behavior
- Enhance real-time detection and response using CyberXTron ThreatBolt
5. Data Protection & Exfiltration Prevention
- Monitor outbound traffic for large or unusual data transfers, especially to unknown or TOR-related infrastructure
- Implement Data Loss Prevention (DLP) controls to restrict unauthorized data movement
- Classify and secure sensitive data to reduce exposure impact in case of compromise
- Identify leaked credentials, exposed data, and underground exposure using CyberXTron DarkFlash
- Continuously assess externally exposed infrastructure and shadow assets using CyberXTron ShadowSpot
6. External Exposure & Leak Monitoring
- Continuously monitor dark web and leak sites for early signs of data exposure
- Track unauthorized publication of organizational data and sensitive information
- Detect misuse of brand identity and leaked assets using CyberXTron BrandSafe
- Identify unknown internet-facing assets, third-party exposures, and misconfigured services using CyberXTron ShadowSpot
7. Backup & Recovery Strategy
- Maintain secure, offline, and immutable backups of critical data
- Regularly test backup restoration processes to ensure recovery readiness
- Ensure backups are isolated from production environments to prevent compromise
8. Incident Response & Extortion Readiness
- Develop a data breach and extortion-specific response plan, not just ransomware recovery
- Prepare for rapid containment of data exfiltration and exposure scenarios
- Conduct proactive threat hunting across identity, endpoint, and network layers
- Accelerate investigation and response using CyberXTron MCP and XTron AI
Conclusion
PEAR represents a clear shift from traditional ransomware operations toward a data-centric extortion model, where the primary objective is the extraction and controlled exposure of sensitive information rather than system disruption through encryption. Its operational structure—supported by TOR-based leak infrastructure, distributed file servers, and direct communication channels—demonstrates a streamlined approach focused on maximizing pressure through data visibility and staged disclosure. The group’s ability to scale rapidly across multiple sectors and regions, while maintaining a strong concentration in a single geographic area, highlights both operational efficiency and a focused targeting strategy.
At a strategic level, PEAR reflects an evolving threat landscape where data itself is the primary asset for monetization, reducing reliance on technically complex attack chains and instead leveraging accessibility, volume, and exposure impact. The absence of encryption, combined with manual negotiation and multi-layer extortion tactics, indicates a model that is easier to execute and potentially more scalable. This trend underscores the growing importance of data protection, exposure monitoring, and identity security, as organizations face increasing risk from adversaries prioritizing data exploitation over traditional ransomware deployment.