Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors

PEAR

Also known asPear

PEAR is a threat group that emerged in August 2025. It is described as a data-theft-and-extortion operation that does not encrypt victim files, instead focusing on pure exfiltration and ransom demands; one source expands the name as "Pure Extraction and Ransom." Reporting states the group has been highly active against the healthcare sector, with many healthcare victims claimed in 2025 and at least 49 attacks in a three-month period. PEAR was also reported as claiming the largest total volume of stolen data in Q1 2026, with more than 46 TB allegedly exfiltrated, including 16 TB from Monmouth University. Victims mentioned in the content include Expert MRI, Brevard Skin and Cancer Center, Tri-Century Eye Care, Motility, Rocky Mountain Associated Physicians, Medical Center, LLP in Georgia, Garrison Law Firm, Hankin & Mazel PLLC, Jwiz, U.S. Battery, Kalchschmid GmbH, and Monmouth University. In the cited incidents, PEAR claimed intrusions into internal networks, listed victims on its data leak site, posted samples of stolen data, threatened full publication unless ransom demands were met, and in some cases allegedly published data after non-payment. The content directly associates PEAR with exfiltration-only extortion rather than file encryption; no nation-state attribution is provided.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
ACTIVITY FEED

Recent activity

14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

14 SOURCESView more in app
teiss newsNews
May 20, 2026
teiss - News - Nearly 210,000 patients impacted in Expert MRI security breach

Conducting a ransomware/data extortion operation against Expert MRI, claiming network infiltration, theft of 617 GB of confidential data, and threatening publication on a leak site unless ransom demands are met.

Read more
comparitechNews
Apr 29, 2026
Sandhills Medical Foundation warns patients of data breach - Comparitech

Named as the threat actor claiming responsibility for the Rocky Mountain Associated Physicians data breach.

Read more
comparitechNews
Apr 8, 2026
Ransomware roundup: Q1 2026 - Comparitech

Ransomware/extortion group notable for very large claimed data theft volumes in Q1 2026, including a major theft claim involving a university.

Read more
hipaa journalNews
Feb 13, 2026
2025 Healthcare Data Breach Report

Emergent 2025 extortion actor focused on data theft and extortion without file encryption (i.e., non-encrypting extortion). Reported to have claimed many healthcare victims in 2025.

Read more
+10 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.