Ilex Paysages et Urbanisme Data Breach

Alleged

Ransomware claim involving Ilex Paysages et Urbanisme.

Published: Jun 30, 2026
Threat Level
High
Confidence: High

Quick Summary

Alleged
Company
Ilex Paysages et Urbanisme
Industry
Business Services
Date of Incident
Jun 30, 2026

Executive Summary

Ilex Paysages et Urbanisme, a construction company based in France, was listed as a victim of the Settra ransomware group on June 30, 2026. This listing was detected by SOCRadar’s Dark Web Monitoring service. While Settra has primarily targeted organizations in the United States, this incident highlights the group’s reach into European countries, specifically France. The article details Settra’s targeting patterns, which have predominantly focused on business services, technology, and consumer services sectors. The identification of Ilex Paysages et Urbanisme as a victim aligns with Settra’s pattern of targeting small to mid-sized commercial entities.

Technical Analysis

SOCRadar’s analysis of stealer-log telemetry revealed a significant exposure for the ilex-paysages.com domain. The data found included credentials for four internal employees, one external account, and thirteen corporate accounts on third-party services. Notably, compromised credentials pertained to Microsoft Entra ID single sign-on, a SAML SSO gateway, the French Chorus Pro public-procurement platform, and an internal organizational subdomain, indicating a direct compromise of the organization’s identity infrastructure. The presence of repeated employee usernames across multiple services within a long freshness window (March 2025 to May 26, 2026) suggests persistent credential harvesting from compromised endpoints without adequate rotation. This type of credential exposure is a common initial access vector for ransomware groups like Settra. Operators often source credentials from compromised credentials marketplaces, validate them for corporate access (e.g., Microsoft 365, VPNs, remote access portals), and then deploy ransomware. While direct evidence linking these specific credentials to Settra’s attack on Ilex Paysages et Urbanisme is not confirmed, the exposure of Entra ID and SSO credentials represents a high-risk scenario that aligns with the typical kill chain of such threat actors. Security recommendations include immediate credential resets, session revocations for affected accounts, endpoint forensics, and hardening of conditional access policies.