On 30 June, the ransomware group known as The Gentlemen added Indra Group to its dark web leak site. Indra is a Spanish multinational technology and defence company and a NATO contractor, the kind of organisation whose compromise draws attention well beyond the usual security press. The gang’s post set a deadline of roughly 236 hours, just under nine days, for Indra to open communication before it would begin publishing whatever data it claims to hold. That window closed on or around 9 July.
What Indra has confirmed, and what it has not
Indra has acknowledged a ransomware attack, but describes it as limited to one subsidiary, with a “minimal” impact confined to a non-critical environment, no spread to the rest of the group, and no disruption to service delivery. What the company has not said, and what The Gentlemen have not yet demonstrated publicly, is what data was actually taken. As of the most recent reporting, no sample files have been published on the leak site to substantiate the claim, which is common in the early stage of a double extortion listing but leaves the actual exposure, if any, unverified.
Double extortion, and a gang that is having a very active year
The Gentlemen’s model is the now-standard double extortion playbook, encrypt what you can reach, exfiltrate sensitive data first, and hold the threat of publication over the victim regardless of whether they can restore from backup. What sets this incident apart is the target and the attacker’s recent track record: The Gentlemen have claimed more than 300 victims in the first half of 2026, roughly one in every ten ransomware claims recorded worldwide in that period, putting them second only to Qilin among active ransomware-as-a-service operations. A group operating at that volume is not selecting targets for their symbolic value, it is running an efficient affiliate operation against whatever attack surface presents the least resistance, and a NATO-linked defence contractor landing on that list says as much about the group’s reach as it does about any specific weakness at Indra.
What this means for European organisations, defence-linked or not
A confirmed intrusion at a company with Indra’s profile is a reminder that sector prominence and government relationships do not function as security controls. The specifics of Indra’s entry point have not been disclosed, but the broader pattern among high-volume ransomware-as-a-service groups this year has consistently pointed to the same categories: credential-based access to VPNs and remote access services, often without multi-factor authentication, and exploitation of unpatched remote access appliances. Organisations that have not recently verified MFA coverage across every remote access account, tested their offline backups, or rehearsed an incident response plan before an intrusion rather than during one are exposed to exactly the kind of operation that just listed a NATO contractor.
If your organisation wants to assess its exposure to ransomware-as-a-service groups like The Gentlemen, close the remote access and MFA gaps these operations depend on, or build an incident response plan before you need one, contact Excello Digital. We help European organisations, defence-adjacent or otherwise, close the doors that high-volume ransomware affiliates are actively testing.
