CRITICALFortiBleed is actively compromising Fortinet firewalls. Is your domain exposed?
Run free scan
CyberXtron
PEAR Threat Profile: Redefining Ransomware Through Data Exposure
#CyberXtron#Pear#Ransom#Exfiltrationfirst

PEAR Threat Profile: Redefining Ransomware Through Data Exposure

Executive Summary

PEAR (Pure Extraction and Ransom) is an emerging data-extortion threat group that operates using an exfiltration-first model, focusing on stealing and publicly exposing sensitive data rather than deploying encryption-based ransomware. Active since June 2025, the group has rapidly scaled operations to over 92 victims across 9 countries, with a strong concentration in the United States and a diverse cross-sector footprint led by Business Services and Healthcare. Its operations rely on externally obtained access, large-scale data exfiltration, and direct victim engagement through manual communication channels, supported by a TOR-based leak ecosystem and distributed file servers for data publication. The group employs a multi-layer extortion strategy—including direct pressure, double extortion, and staged data leaks—indicating a structured yet evolving operational model centered on data monetization and exposure rather than system disruption.

Threat Profile

 

Group Overview

PEAR (Pure Extraction and Ransom) is a data-extortion-focused ransomware group that operates using:

  • Data exfiltration as the primary attack objective
  • Direct extortion against victims
  • Double extortion using stolen data
  • Free leak campaigns to increase pressure

The group claims to be a private, disciplined team with no affiliation to other threat actors. It positions itself as a security-focused organization, stating that its goal is to expose vulnerabilities and encourage better data protection practices.

This narrative is reinforced in its public messaging, where it frames attacks as a consequence of poor security hygiene rather than malicious intent.

Operational Characteristics

PEAR follows a non-traditional ransomware model centered on data theft and exposure rather than encryption.

 

Victimology

Overview

Metric 

Value 

Total Victims 

92 + 

Countries Affected 

9 

Active Since 

June 2025 

Leak Site 

Active 

 

PEAR demonstrates a high-volume victim base, with activity scaling rapidly across multiple organizations over a relatively short time period. The volume of observed victims indicates sustained operational activity rather than isolated campaigns, with continuous additions to its leak platform reflecting an active and ongoing targeting cycle.

Sector distribution reveals a diverse cross-industry footprint, including healthcare, business services, financial services, construction, education, logistics, and public sector entities. This spread indicates that PEAR does not limit operations to specific industries, instead targeting a wide range of organizations where sensitive or operational data can be extracted and leveraged.

At an organizational level, the victim set includes both small-to-mid-sized entities and larger institutions, such as universities and public-facing organizations. This variation suggests that targeting is not constrained by company size, but rather influenced by the availability of accessible systems and the potential value of extracted data, as reflected in repeated incidents across similar operational environments.

Geographical Distribution

PEAR exhibits a highly concentrated yet expanding victim footprint, with a strong dominance in the United States and limited but notable activity across multiple international regions. Unlike mature ransomware groups that demonstrate balanced global targeting, PEAR’s distribution reflects a skewed and opportunistic pattern, where a single region accounts for the majority of observed activity.

 

The United States represents the primary concentration of victims, significantly outweighing all other regions. Additional activity has been observed across countries such as Canada, Australia, New Zealand, Germany, Egypt, and Jamaica, Norway, Switzerland each contributing a comparatively small number of incidents. This distribution indicates that while the group is not geographically restricted, its operations remain heavily centered on U.S.-based organizations.

From a regional perspective, North America dominates overall activity, driven by repeated targeting within the United States. Other regions — including Europe and Asia-Pacific — display fragmented and low-volume incidents, with no evidence of sustained regional campaigns or clustering. This pattern highlights a clear imbalance in geographic targeting, where activity outside the primary region remains limited and sporadic.

Sector Targeting

 

PEAR’s sector distribution reflects a partially concentrated targeting pattern, with a strong emphasis on Business Services (34.8%), making it the most frequently targeted sector. This indicates a consistent focus on organizations involved in operational, administrative, and advisory functions, where internal and client-related data can be leveraged for extortion. Healthcare (19.6%) follows as the second-largest segment, highlighting continued exposure of environments handling sensitive medical and personal data.

Financial Services (7.6%) and a group of mid-tier sectors — including Technology (6.5%), Manufacturing (6.5%), and Public Sector (6.5%) — show steady but secondary levels of activity. These sectors represent a mix of economically sensitive, infrastructure-related, and data-dependent environments, indicating that targeting extends beyond a single industry focus.

Lower-frequency sectors such as Consumer Services (5.4%), Construction (3.3%), Education (3.3%), Hospitality & Tourism (3.3%), Transportation & Logistics (2.2%), and Agriculture & Food Production (1.1%) demonstrate broader but limited reach. This distribution highlights a skewed sector spread, where a few dominant industries account for the majority of victims while remaining sectors show fragmented and minimal activity.

Technical Analysis

Initial Access and Foothold:

  • Available intelligence does not identify a consistent or repeatable initial access vector across observed PEAR incidents. The group’s activity suggests the use of externally obtained access, potentially through compromised credentials or exposed services, rather than reliance on a single intrusion method.
  • There is no confirmed evidence of vulnerability exploitation or advanced intrusion techniques. Observations indicate that access is established through commonly available entry points, with no indication of specialized or custom-developed access mechanisms.

Privilege Escalation, Defense Evasion, and Persistence:

  • There is limited visibility into privilege escalation, persistence, and defense evasion techniques used by PEAR. No consistent tools, exploits, or repeatable mechanisms have been identified across observed incidents.
  • Available data suggests that operations are conducted using existing access privileges and standard system capabilities, without introducing identifiable malware or complex persistence structures. These stages remain largely unobserved and lack sufficient technical detail for further classification.

Lateral Movement, Exfiltration, and Encryption:

Lateral Movement

  • Lateral movement techniques are not explicitly documented. Internal access expansion is likely performed using available credentials and standard administrative access methods, though no consistent pattern or tooling has been confirmed.

Attack Sequence

  • Initial access through externally obtained or exposed access 
  • Execution using system-level utilities or commands 
  • Internal reconnaissance to identify relevant data 
  • Data collection and staging within the environment 
  • Data exfiltration to attacker-controlled infrastructure 
  • Extortion through direct communication and data exposure 

Data Exfiltration

  • Data exfiltration is the central operational activity. The group focuses on extracting large volumes of data, which are later referenced on its leak platform with associated size indicators (GB/TB scale).

Encryption

  • There is no observed use of encryption. The group explicitly states that it does not encrypt victim systems and relies entirely on data theft and exposure for extortion.

Command and Control (C2):

  • Available intelligence indicates the use of attacker-controlled infrastructure for handling stolen data and supporting operational activity. This implies the presence of command-and-control communication, likely conducted through standard web-based channels.
  • Specific technical characteristics — including protocols, beaconing behavior, or infrastructure patterns — remain unconfirmed, with no identifiable or unique C2 framework observed.

Communication and Platform Analysis

  • PEAR uses a direct and manual communication model, primarily through email and TOX messaging. Responses are typically provided within a short timeframeindicating active human involvement rather than automated systems.
  • Victims are required to initiate and maintain communication to prevent data exposure, with interactions managed continuously throughout the engagement. This reflects a controlled, manually operated workflow, without reliance on dedicated negotiation portals or automated platforms.

Negotiation Behavior

  • PEAR follows a structured negotiation process driven by strict timelines and staged escalation. Deadlines are enforced for both agreement and payment, with clearly defined consequences, including public data exposure and further escalation actions.
  • The group validates its claims by sharing selected files and providing access to stolen data samples, reinforcing credibility while maintaining pressure. This is combined with persistent follow-ups, urgency-driven messaging, and limited pricing flexibility through controlled discounts.
  • In addition, PEAR applies multi-layer pressure tactics, including threats of data leaks, reputational impact, regulatory exposure, and outreach to third parties. The negotiation remains fully manual, with the group maintaining control of the process and treating delays as non-cooperation.

Leak Site and Infrastructure Analysis:

  • PEAR operates a TOR-based leak ecosystem supported by multiple file-hosting servers used to store and distribute stolen data. The leak site presents structured victim entries, including organization identifiers and associated data volumes.
  • The platform distinguishes between different exposure stages, such as publicly listed entries and datasets made available for download. Multiple file server links are used to host stolen data, enabling access through separate infrastructure endpoints.

The ecosystem includes:

  • Leak Site (TOR): Displays victim listings and exposure status 

  • File Servers (DLS): Host stolen datasets across multiple links 

  • Communication Channels: Email and TOX used for negotiation 

Key observations include:

  • Multiple TOR-based file server links associated with data hosting 
  • Public listing of victims with visible data volume indicators 
  • Separation between listing interface and data hosting endpoints 
  • Direct publication model where data is made accessible through provided links

Overall, PEAR’s infrastructure reflects a data exposure model centered on direct publication and distribution, where stolen datasets are made available through its own controlled environment and leveraged for extortion.

MITRE ATT&CK TTPs

Tactic 

Technique ID 

Technique Name 

Initial Access 

T1078.002 

Valid Accounts: Domain Accounts 

Initial Access 

T1133 

External Remote Services 

Initial Access 

T1566 

Phishing 

Execution 

T1059.001 

Command and Scripting Interpreter: PowerShell 

Execution 

T1059.003 

Command and Scripting Interpreter: Windows Command Shell 

Execution 

T1204.002 

User Execution: Malicious File 

Execution 

T1204.004 

User Execution: Malicious Copy and Paste 

Persistence 

T1547.001 

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder 

Stealth 

T1027.013 

Obfuscated Files or Information: Encrypted/Encoded File 

Stealth 

T1055.001 

Process Injection: DLL Injection 

Credential Access 

T1056.001 

Input Capture: Keylogging 

Credential Access 

T1555.003 

Credentials from Password Stores: Credentials from Web Browsers 

Discovery 

T1083 

File and Directory Discovery 

Lateral Movement 

T1021.002 

Remote Services: SMB/Windows Admin Shares 

Collection 

T1005 

Data from Local System 

Collection 

T1074.001 

Data Staged: Local Data Staging 

Collection 

T1114 

Email Collection 

Collection 

T1213 

Data from Information Repositories 

Collection 

T1560.001 

Archive Collected Data: Archive via Utility 

Command and Control 

T1071.001 

Application Layer Protocol: Web Protocols 

Command and Control 

T1102.002 

Web Service: Bidirectional Communication 

Command and Control 

T1090.003 

Proxy: Multi-hop Proxy 

Exfiltration 

T1041 

Exfiltration Over C2 Channel 

Exfiltration 

T1567.002 

Exfiltration Over Web Service: Exfiltration to Cloud Storage 

Exfiltration 

T1567.004 

Exfiltration Over Web Service: Exfiltration to Webhook 

Impact 

T1657 

Financial Theft 

 

Indicators of Compromise (IOCs)

Type 

IOC Value 

TOR Leak Site 

hxxp://peargxn3oki34c4savcbcfqofjjwjnnyrlrbszfv6ujlx36mhrh57did[.]onion 

DLS File Server 

hxxp://csxilwnl7orv6rwfjen5ye3tefk5shjtr4tysuykgxjsyngpvoqrvbid[.]onion 

DLS File Server 

hxxp://etus2tmakckdlkyjpevoyciuao7er5fj3qm26aev3nch4fusptefiayd[.]onion 

DLS File Server 

hxxp://yxwomyfmexm3bfcuumnugrzwluol5qwsw6pmne7jklgmzthkp35l2jqd[.]onion 

DLS File Server 

hxxp://e7a6zgqfijn2ko6lzkz53tysjpnf22fxj4h2f3saufrmsts5pbul5eid[.]onion 

Email 

pear@onionmail[.]org 

TOX ID 

457BB4E5DF0E650509322CA894758D925A568828090A3449D5AEEED30E9B8E18DDDFF71909ED 

 

Mitigations & Recommendations

1. Initial Access Hardening

  • Enforce multi-factor authentication (MFA) across all external access points
  • Restrict exposure of internet-facing services such as VPN, RDP, and remote access interfaces
  • Continuously discover and monitor exposed assets, shadow IT, and external attack surface risks using CyberXTron ShadowSpot

2. Identity & Credential Protection

  • Implement strict least-privilege access controls across all systems
  • Monitor authentication patterns for anomalies, including unusual login locations or access times using XTron AI
  • Enforce strong password policies and regular credential rotation to reduce credential reuse risk

3. Network Security & Lateral Movement Control

  • Segment networks to isolate critical systems and sensitive data environments
  • Monitor internal access behavior for signs of unauthorized lateral movement or privilege misuse

4. Endpoint Protection & Threat Monitoring

  • Deploy EDR/XDR solutions focused on behavioral detection rather than signature-based alerts
  • Monitor command execution, scripting activity, and abnormal system behavior

5. Data Protection & Exfiltration Prevention

  • Monitor outbound traffic for large or unusual data transfers, especially to unknown or TOR-related infrastructure 
  • Implement Data Loss Prevention (DLP) controls to restrict unauthorized data movement 
  • Classify and secure sensitive data to reduce exposure impact in case of compromise 
  • Identify leaked credentials, exposed data, and underground exposure using CyberXTron DarkFlash 

6. External Exposure & Leak Monitoring

  • Continuously monitor dark web and leak sites for early signs of data exposure 
  • Track unauthorized publication of organizational data and sensitive information 
  • Identify unknown internet-facing assets, third-party exposures, and misconfigured services using CyberXTron ShadowSpot 

7. Backup & Recovery Strategy

  • Maintain secure, offline, and immutable backups of critical data 
  • Regularly test backup restoration processes to ensure recovery readiness 
  • Ensure backups are isolated from production environments to prevent compromise 

8. Incident Response & Extortion Readiness

  • Develop a data breach and extortion-specific response plan, not just ransomware recovery
  • Prepare for rapid containment of data exfiltration and exposure scenarios 
  • Conduct proactive threat hunting across identity, endpoint, and network layers 

Conclusion

PEAR represents a clear shift from traditional ransomware operations toward a data-centric extortion model, where the primary objective is the extraction and controlled exposure of sensitive information rather than system disruption through encryption. Its operational structure—supported by TOR-based leak infrastructure, distributed file servers, and direct communication channels—demonstrates a streamlined approach focused on maximizing pressure through data visibility and staged disclosure. The group’s ability to scale rapidly across multiple sectors and regions, while maintaining a strong concentration in a single geographic area, highlights both operational efficiency and a focused targeting strategy. 

At a strategic level, PEAR reflects an evolving threat landscape where data itself is the primary asset for monetization, reducing reliance on technically complex attack chains and instead leveraging accessibility, volume, and exposure impact. The absence of encryption, combined with manual negotiation and multi-layer extortion tactics, indicates a model that is easier to execute and potentially more scalable. This trend underscores the growing importance of data protection, exposure monitoring, and identity security, as organizations face increasing risk from adversaries prioritizing data exploitation over traditional ransomware deployment. 

 

Elevate your security—get curated threat insights in your inbox.