Spanish defense and technology company Indra Group is investigating a ransomware incident after a cybercriminal group claimed to have stolen company data and threatened to publish it unless negotiations begin.
The ransomware gang known as The Gentlemen added Indra to its dark web leak site on June 30, giving the company several days to establish contact before the alleged stolen data is released. At this stage, neither the attackers nor the company has disclosed what information was allegedly taken.
Indra is one of Europe’s largest defense contractors and a key supplier to NATO and the Spanish armed forces. The company develops military communications, radar systems, air defense technologies, cybersecurity solutions, and critical infrastructure used by governments and defense organizations worldwide.
In a statement, Indra confirmed that one of its subsidiaries had experienced a cyberattack involving ransomware. The company said its Computer Security Incident Response Team (CSIRT) immediately activated containment procedures and determined that the incident was limited to a non-critical environment. According to Indra, there is no evidence that the attack spread to other companies within the group, and customer services have continued operating normally throughout the investigation.
The company said it implemented containment, eradication, and recovery measures while strengthening security controls across its infrastructure. Investigators are continuing to examine the incident to determine how attackers gained access and whether any data was exfiltrated.
The Gentlemen is an active ransomware operation that follows the increasingly common double extortion model. Rather than relying solely on file encryption, the group also claims to steal sensitive corporate data and threatens to publish it if victims refuse to negotiate. This tactic allows attackers to pressure organizations even when backups enable them to recover encrypted systems.
Because Indra works extensively with governments, defense agencies, transportation operators, and critical infrastructure providers, any confirmed data exposure could have implications beyond the company itself. However, there is currently no public evidence that classified information or customer systems have been compromised.
