Indra Confirms Ransomware Cyberattack: The Gentlemen Group Gives 236 Hours Before Leaking Stolen Data
Eric Serrano Bustos
On 30 June 2026, threat intelligence firm Hackmanac alerted on social media that the ransomware group The Gentlemen claimed to have breached the systems of Indra Group, the Spanish technology company present in strategic sectors such as defence, electoral systems, public administration and transport. Indra subsequently confirmed to specialist media that it had detected the presence of ransomware in one of its subsidiaries and immediately activated its Computer Security Incident Response Team (CSIRT). According to the company, the incident has had a minimal impact, limited to a non-critical environment, with no spread to other companies in the group and no effect on service delivery. The attackers, however, have activated a countdown of approximately 236 hours (around 9-10 days) before publishing or selling the data they claim to have stolen if their demands are not met. As of this article's publication, no samples of the allegedly stolen data have been published, and the type of compromised information remains unknown.
What do we know about the Indra cyberattack?
Facts documented by El Economista, Escudo Digital, ADSLZone, RedesZone and Bit Life Media:
Detection: Indra detected the presence of ransomware in one of its subsidiaries and immediately activated its CSIRT for analysis, verification and security review of potentially affected environments.
Scope according to the company: Indra has ruled out risk propagation to the rest of the group's companies and confirmed that operations and service delivery have remained normal throughout. The company describes the incident as "minimal and limited to a non-critical environment."
Technical response: the CSIRT deployed containment, eradication and recovery measures, and the company has additionally strengthened its security controls to ensure system protection and service continuity.
Threat actor: The Gentlemen, a Russian-speaking collective that emerged in mid-2025 and has already become one of the most active ransomware groups worldwide, with over 250 claimed victims according to WeLiveSecurity. The group is characterised by targeted operations rather than mass attacks, high operational discipline, use of AI-powered tools, and highly adaptable evasion techniques.
Extortion countdown: The Gentlemen added Indra to its dark web leak site with a 236-hour deadline for ransom payment. The amount requested has not been publicly disclosed.
Verification status: Hackmanac describes the incident status as "pending verification" regarding the real scope of compromised data. Indra continues its investigation to determine the exact origin of the attack.
Potentially exposed sectors: although Indra has not confirmed what specific information is at risk, the company operates in sensitive sectors such as defence, electoral systems, public administration and land and air transport, which raises the relevance of the incident beyond the immediate technical impact.
Why Indra is a first-tier target for a ransomware group
Indra is not just any company within the Spanish business landscape. It is one of the few national technology companies with simultaneous presence in sectors classified as critical infrastructure, making it a high-value target for sophisticated extortion groups:
It operates in strategic sectors with access to sensitive State information. Indra participates in defence programmes, electoral systems and contracts with Spanish and European public administrations. A compromise of its systems, even a limited one, raises questions about the potential exposure of information linked to those programmes.
The Gentlemen is an actor with demonstrated capacity to operate at scale. With over 250 claimed victims in less than a year, the group has consolidated a repeatable methodology: initial access, exfiltration of sensitive data, and extortion with a deadline before publication. Indra is the latest addition to that list, not an isolated case.
System segmentation is the variable determining the real scope of the damage. The fact that Indra was able to rule out propagation to the rest of the group, if confirmed by the ongoing investigation, would indicate that separation controls between environments worked as a containment barrier. That is precisely the difference between a limited incident and a crisis affecting the entire organisation.
Uncertainty about the real scope is itself a reputational risk. As long as the incident status remains "pending verification," clients, partners and administrations working with Indra must operate with partial information about what data may be compromised.
How groups like The Gentlemen operate: from intrusion to deadline-based extortion
The Gentlemen's methodology, documented by RedesZone and WeLiveSecurity, follows a pattern consistent with the double extortion model dominating the ransomware landscape in 2026:
Initial access to the victim's systems. The group gains access to the target organisation's network through intrusion techniques not yet publicly confirmed in Indra's case.
Exfiltration of sensitive information before encryption. Once inside, the priority objective is to gather as much confidential data as possible, not just encrypt systems. This silent phase determines the real scope of potential damage.
Ransomware deployment and countdown activation. With data already exfiltrated, the group deploys ransomware in the compromised environment and adds the victim to its dark web leak site with a payment deadline, in this case 236 hours.
Double pressure: operational encryption and threat of publication. If the victim does not pay, the group threatens to publish or sell the stolen data to other organised gangs that can monetise it, generating additional pressure beyond the immediate operational impact.
Key lessons for businesses and executives
The Indra case, even in its pending-verification investigation phase, offers lessons directly applicable to any organisation with complex infrastructure and multiple subsidiaries:
Not paying the ransom remains INCIBE's official recommendation. Spain's National Cybersecurity Institute is explicit: paying does not guarantee data access recovery nor prevent subsequent leaking of information. The decision should be based on the incident response plan, not the pressure of the deadline imposed by attackers.
Segmentation between subsidiaries and environments is a defence that can make the difference. The fact that Indra was able to contain the incident to a non-critical environment, without spreading to the rest of the group, underscores the value of a well-segmented network architecture against a large-scale compromise.
Activating the CSIRT immediately reduces the exposure window. Response speed between detection and containment is a determining factor in the final scope of any ransomware incident. Having an already-trained incident response team with defined procedures allows action within hours, not days.
Transparent communication with media and clients manages reputational risk. Indra chose to confirm the incident and detail the measures taken rather than stay silent, a strategy that reduces public uncertainty while the technical investigation continues.
Organisations in strategic sectors are priority targets regardless of size or technical sophistication. Companies operating in defence, public administration, critical infrastructure or electoral systems should assume groups like The Gentlemen have identified them as high-value targets, and design their security posture accordingly.
Cybersecurity as a strategic priority
The Indra cyberattack confirms that no sector, however critical or technically sophisticated, is exempt from ransomware extortion risk. The Gentlemen has demonstrated in less than a year the capacity to compromise over 250 organisations with a repeatable, disciplined methodology. For Spanish businesses, particularly those operating in strategic sectors or managing sensitive client and public administration data, today's question is direct: if your organisation detected ransomware in one of its environments tomorrow, do you have a CSIRT capable of containing the incident within hours, and is your network architecture segmented to prevent a limited compromise from becoming a group-wide crisis?
Apolo Cybersecurity: ransomware incident preparation and response
At Apolo Cybersecurity we help organisations prepare against ransomware threats like The Gentlemen: design and audit of incident response plans with immediate activation protocols, assessment of network segmentation between subsidiaries and critical environments, containment and recovery drills for double extortion scenarios, and advisory on communication management during an active security incident.
If your organisation does not have a tested and updated incident response plan, or is unsure how its network is segmented against a partial compromise, the Indra case is the signal to review it before it happens.