The PEAR ransomware group is a newly surfaced actor  adding to the growing list of emerging ransomware brands. With only limited public reporting available, PEAR appears to be in a formative stage, potentially testing operations or building a reputation through early attacks.

Observed activity suggests PEAR favors a low-noise, high-pressure approach, gaining access quietly before deploying encryption and extortion tactics. The group is believed to leverage data exfiltration to increase leverage during ransom negotiations, targeting organizations where operational disruption and reputational risk are likely to drive payment. Initial compromise is thought to stem from credential abuse, phishing, or exposed remote services.

Rather than introducing new techniques, PEAR relies on tried-and-tested ransomware tradecraft, such as disabling backups, weakening security controls, and using built-in administrative tools to move laterally.