Virtual Round Table · Jul 22

View the event
TheGentlemen Ransomware Names NATO Contractor Indra, and a Subsidiary Was the Way In
Cybersecurity

TheGentlemen Ransomware Names NATO Contractor Indra, and a Subsidiary Was the Way In

Spain's Indra Group, a €5 billion defense and air-traffic supplier and NATO cyberdefence member, confirmed a ransomware incident in one subsidiary after TheGentlemen posted it with a nine-day leak clock.

PublishedJuly 15, 2026
Read time6 min read
Share

A defense supplier on a ransomware leak site

Around June 30, the ransomware group TheGentlemen posted Spain's Indra Group to its extortion site and started a countdown, reported variously as nine days or 236 hours, before it threatened to publish stolen files. Indra is not a soft target by reputation. The company reports roughly €5 billion in annual revenue, more than 62,000 employees and operations across 140-plus countries, and it supplies air-traffic management, surveillance radars and military simulation systems. It was also the first Spanish company to join NATO's cyberdefence coalition, which is what turned a routine leak-site listing into a story with national-security framing.

Indra confirmed an incident and worked to bound it. The company said the attack was localized to one subsidiary, that it had guaranteed the security and continuity of its services, and that there was no spread to other companies in the group. As of the reporting we reviewed, TheGentlemen had not published data samples, and Indra had not confirmed that any customer, employee or partner records were taken. The gap between the gang's claim and the victim's confirmation is normal at this stage, and it is where a lot of the eventual truth gets decided.

Double extortion against organizations with government ties

TheGentlemen operates the now-standard double-extortion playbook: exfiltrate first, encrypt second, and use the threat of publication to keep pressure on even when the victim can restore from backups. The group emerged in mid-2025 out of a split connected to the ArmCorp and Qilin ecosystems and has since concentrated on mid-sized enterprises across Europe and Latin America, frequently ones with government or defense connections. That victim selection is deliberate, because organizations in those sectors carry sensitive data and reputational stakes that make quiet payment more tempting than a public fight.

For a defense-adjacent supplier the encryption is often the smaller problem. The larger exposure is what a leak could reveal about programs, architectures, personnel and the security posture of systems that governments depend on. Even when a company can prove operational continuity, as Indra has asserted, the extortion leverage lives in the data. That is why the coming days matter more than the encryption event itself: whether TheGentlemen produces samples, and whether those samples touch anything beyond the single subsidiary Indra has described, will define the real blast radius.

The countdown clock is a pressure tactic

The nine-day timer, framed by the gang as 236 hours, is engineered to compress decision-making. A public countdown creates urgency inside the victim, invites media coverage that amplifies the pressure, and sets an artificial deadline meant to push a payment before the incident-response team has finished scoping what was actually taken. The precise-sounding hour count is theater, designed to make the threat feel measured and inevitable. Treat it as a negotiation opening, because that is what it is, rather than a technical fact about your exposure.

The right countermeasure is to run your own clock on your own facts. The question that matters is whether your forensics can confirm what data left the environment and whether backups let you restore without the attacker's key, and the hours remaining on the extortion site are irrelevant to both. Indra's public posture, asserting containment to one subsidiary and continuity of services, is the move that drains a countdown of its power. When the victim can credibly describe the scope before the deadline, the timer stops being leverage and becomes noise.

The nation-state overlap raises the stakes

A financially motivated gang hitting a NATO cyberdefence member sits on an uncomfortable seam. The data that makes Indra valuable to an extortionist, details of air-traffic systems, radars and military simulation platforms, is the same data that foreign intelligence services would pay handsomely to obtain. Even if TheGentlemen is purely criminal, stolen files can be resold, and the line between ransomware crews and state interests has grown thin. For any supplier embedded in critical national infrastructure, a criminal breach carries a second-order risk that the exfiltrated data ends up somewhere far more consequential than a leak site.

That overlap should change how buyers evaluate their defense and infrastructure suppliers. Procurement and risk teams working with vendors in these sectors ought to ask concrete questions: how are subsidiaries segmented from sensitive program data, what monitoring covers the units that touch classified or export-controlled systems, and what is the notification commitment if a breach is confirmed. Indra will recover operationally. The lasting question for its government and enterprise customers is whether anything sensitive moved, and that is precisely the assurance every buyer of a critical-infrastructure supplier should be demanding in writing.

The subsidiary is the recurring soft spot

The most portable lesson here is the entry point. A €5 billion parent with NATO-grade obligations was reached through one subsidiary, and that pattern shows up in breach after breach. Subsidiaries, recently acquired units and regional offices inherit the parent's threat profile, its adversaries and its data sensitivity, and they very often do not inherit the parent's security budget, tooling or monitoring coverage. Attackers know this, so they map the group structure and aim at the softest legal entity that still offers a path toward the crown jewels.

We have watched this exact dynamic play out repeatedly, and it lands hardest on organizations that grew through acquisition, which describes a large share of the PE-backed portfolios our readers run. Every bolt-on brings its own identity stores, its own unpatched appliances and its own gaps, and the group inherits the union of all of them. The controls that matter are unglamorous: consistent EDR and logging coverage across every entity, network segmentation that stops a subsidiary compromise from becoming a group compromise, and a real inventory of which units touch which sensitive systems.

What Indra got right, and what to copy

Indra's public handling is a reasonable template. It acknowledged the incident, described the scope in concrete terms, asserted service continuity, and avoided overclaiming certainty about stolen data before its investigation was complete. That is the posture that preserves credibility with customers, regulators and, in a defense context, government stakeholders. The contrast case, silence followed by a forced admission after the gang publishes, is the one that turns a contained incident into a trust crisis, and Indra so far has avoided it.

The operational lesson for the reader is to have this response pre-built rather than improvised. Know in advance how you will scope and communicate a subsidiary-level incident, who signs off on public statements, and how you will substantiate a containment claim with evidence rather than hope. Double-extortion groups are betting that the fear of a data leak will move you faster than your facts can. The organizations that hold up are the ones that can state, quickly and honestly, exactly what was reached and exactly what was not.

Tagged#news#security#ransomware#double-extortion#defense