Quick Summary
Executive Summary
ORA Group Information, a business services company based in France, has been listed as a victim by the Pear ransomware group. The incident was first identified on June 30, 2026, through SOCRadar’s Dark Web Monitoring service. This listing represents one of the rarer non-US targets for the Pear ransomware group, which primarily targets organizations in the United States.
Technical Analysis
Pear ransomware group has demonstrated a consistent targeting pattern, heavily favoring the business services, financial services, and construction sectors. While their primary focus is on victims in the United States, France and Norway occasionally appear in their victimology. The analysis of initial access for ORA Group Information did not reveal direct evidence of exposed credentials from the specific queried stealer-log telemetry. However, this absence does not confirm a lack of exposed credentials, as data can be sourced from various feeds, rotated before indexing, or harvested under different domains or aliases. It is recommended that CTI teams continue monitoring and implement proactive credential hygiene measures, rather than assuming complete security based on a null query result. The methods employed by ransomware groups like Pear often involve sourcing credentials from infostealer logs, using them to gain access to systems via Microsoft 365, VPNs, or remote access portals before deploying ransomware.