PEAR ransomware claims target U.S. law firms and service providers

Security trackers and ransomware aggregators say the cybercriminal group known as PEAR has added multiple U.S. professional services firms to its leak listings, including at least two law practices, in a cluster of disclosures flagged at the end of February. Threat monitoring services recorded posts naming Carlo J. Martina, P.C., and a Georgia firm identified as Skibiel Law, and warned that attackers are emphasizing data exfiltration and imminent publication of stolen files.

DeXpose Io captured a Feb. 26, 2026 entry stating that PEAR “claimed responsibility for a cyberattack against Carlo J. Martina, P.C. (martinalaw.com), a divorce and family law firm based in the USA.” The DeXpose listing preserves a direct message from the threat actors: “The full leak will be published soon, unless a company representative contacts us via the channels provided.” RedPacket Security separately archived a Feb. 18, 2026 leak post claiming Skibiel Law as a victim and described the posting as focused on data access and exfiltration rather than mere encryption. That post included a formal claim URL but did not list ransom amounts or concrete demands.

Trackers consolidated these postings into a flagged cluster on Feb. 28, 2026, prompting concern among incident responders because law firms and service providers routinely hold sensitive client information. The pattern observed in the archived listings aligns with double-extortion tactics public reporting has tied to other ransomware operations: attackers claim to have copied data and threaten publication to force negotiations.

The group’s recent activity follows large claims attributed to PEAR in 2025. Compiled reporting preserved by trackers and security feeds says PEAR claimed to have stolen 4.3 terabytes of data from Motility’s parent company, Reynolds & Reynolds, in August 2025, a breach that one report said exposed the personal information of 766,670 people. Other mid-2025 incidents cited in aggregated material include a July 16, 2025 intrusion into a third-party CRM tied to Allianz Life that reportedly exposed data for 1.49 million customers and employees; together those two incidents were described in some summaries as affecting more than 2.25 million individuals.

Attribution and impact in the most recent cluster remain subject to verification. RedPacket Security cautioned: “Verification alert — Listings attributed to PEAR have been reported as including unverified or fabricated victim claims. Treat this post as unconfirmed until corroborated with independent evidence.” Security researchers and reporters recommend direct confirmation from named organizations, preservation of leak‑site pages, and cross-checking with established incident‑response feeds before treating tracker entries as definitive breach confirmations.

If PEAR’s recent claims are validated, the implications are significant for clients of small and mid-sized professional services firms, whose records often contain financial and identity data but who may lack robust breach detection resources. Incident responders say firms in those sectors should inventory sensitive holdings, ensure regulatory notifications are prepared, and consult law enforcement and forensic teams. Trackers continue to monitor the leak pages and the broader ransomware landscape for additional corroboration.