The Indra ransomware attack has placed one of Europe’s largest defense and aerospace companies under pressure after the Gentlemen ransomware gang claimed it had stolen company data. While Indra says the incident affected only one subsidiary and did not disrupt its services, the attackers have set a deadline to begin publishing the allegedly stolen information.

Gentlemen Gang Gives Indra Nine-Day Deadline

The Gentlemen ransomware group has added Spanish multinational Indra Group to its dark web leak site, claiming it possesses data stolen from the company.

The gang published its post on June 30, giving Indra nine days to establish contact before it begins releasing the alleged data publicly. Like many ransomware operations, the group is using a countdown to pressure the victim into negotiating a ransom payment.

At this stage, neither the attackers nor the company have disclosed what information may have been compromised.

Indra Confirms Cyberattack on Subsidiary

Indra has confirmed that ransomware affected one of its subsidiaries but says the incident has not interrupted its operations.

According to the company, its Computer Security Incident Response Team (CSIRT) activated internal response procedures immediately after detecting the attack. Security specialists launched an investigation, verified affected systems, and reviewed potentially compromised environments.

The company also stated that the attack remained isolated to the affected subsidiary and that investigators have ruled out any spread across the wider Indra Group.

Indra continues to investigate the incident while auditing its existing security controls and procedures.

The company has not commented publicly on the ransomware group’s claims regarding stolen data. Cybernews has requested additional information and said it will update its report if Indra responds.

Indra Plays a Critical Role in European Defense

Headquartered in Spain, Indra Group ranks among Europe’s leading defense, aerospace, and technology companies. It supplies governments, armed forces, and operators of critical infrastructure with a wide range of advanced systems and services.

The company also became the first Spanish organization to join NATO’s cyber defence coalition.

Beyond defense projects, Indra develops identity management and cybersecurity technologies that protect organizations operating in sectors including energy, finance, telecommunications, and public administration.

Its portfolio also includes air traffic management systems, military simulation platforms, surveillance radar technology, and intelligent transportation solutions used to manage roads and railway networks.

In 2025, Indra significantly expanded its space business by acquiring approximately 90% of Spanish satellite operator Hispasat, strengthening its position in satellite communications and space technologies.

Today, the company employs more than 62,000 people, generates around €5 billion in annual revenue, and operates in more than 140 countries.

Who Is the Gentlemen Ransomware Group?

The Gentlemen ransomware operation runs under the ransomware-as-a-service (RaaS) model, allowing affiliates to deploy ransomware in exchange for a share of the profits.

Researchers believe the group emerged from ArmCorp, a well-known affiliate cluster within the Qilin ransomware ecosystem that consisted of roughly 20 members.

According to cybersecurity firm Halcyon, the split followed a payment dispute in July 2025. A threat actor known as “hastalamuerte” publicly accused Qilin on the RAMP underground forum of withholding approximately $48,000 in affiliate commissions.

Researchers later discovered that the first Gentlemen ransomware sample appeared on VirusTotal on July 17, 2025. Because the malware already contained the group’s leak site URL before the public dispute became widely known, analysts believe the separation had been planned well in advance.

Gentlemen Continues Expanding Its Operations

Threat intelligence indicates that Thailand has suffered the highest number of Gentlemen ransomware victims, followed by the United States, France, and Brazil.

The group’s latest claim against Indra demonstrates its continued focus on high-profile organizations operating in strategically important sectors. Whether the attackers actually possess sensitive company data remains unclear, but the ongoing investigation will likely determine the full scope of the incident in the coming days.


0 responses to “Indra Investigates Ransomware Attack as Hackers Threaten to Leak Stolen Data”