Skip to content
Ransomware group

PEAR

PEAR, also expanded as Pure Extraction and Ransom, is a data-theft and extortion threat actor that emerged in 2025.

Profile source: Mallory opens in a new tab

PEAR

Family profile

PEAR, also expanded as Pure Extraction and Ransom, is a data-theft and extortion threat actor that emerged in 2025. The group is characterized by operating without routine file encryption, instead focusing on stealing large volumes of data and coercing victims through leak-site exposure and threats to publish exfiltrated information. This places PEAR among the newer extortion-only operations rather than traditional encrypt-and-ransom crews.

PEAR has been associated with attacks across multiple sectors, with especially notable activity against healthcare organizations and healthcare-adjacent service providers, including radiology practices, medical billing and revenue-cycle firms, and specialty clinics. Reported victimology also includes financial services, manufacturing, construction, logistics, education, nonprofits, and technology organizations in countries including the United States, Norway, and Singapore. Public reporting indicates the group was active through 2025 and 2026 and claimed substantial aggregate data theft volumes during that period.

The group’s tradecraft centers on network intrusion, data exfiltration, victim listing on a dedicated leak site, and extortion backed by publication threats. In multiple cases, PEAR publicly claimed to have infiltrated internal networks, copied confidential datasets, and threatened full release of stolen material unless ransom demands were met. Available high-confidence reporting supports PEAR’s use of double-extortion-style pressure without the encryption component, making it more accurately described as an extortion actor using ransomware ecosystem tactics than a purely locker-based ransomware operator.

PEAR is widely referred to as both Pear and PEAR, and the expansion Pure Extraction and Ransom has been used to describe the group’s operating model. No verified sub-groups are established in the available information. The actor has been repeatedly noted in reporting on healthcare breach trends as an example of the shift toward pure data theft and extortion operations.

Ransomware.live

Operational record

View group record ↗

Ransomware.live

Published indicators

Full source record ↗

Tox

1 total
  • 457BB4E5DF0E650509322CA894758D925A568828090A3449D5AEEED30E9B8E18DDDFF71909ED

Email

1 total
  • pear@onionmail.org

Ransomware.live

Recent claims

All published claims ↗

MITRE ATT&CK

PEAR in ATT&CK

20 distinct techniques

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.