CoinbaseCartel Hits Panasonic Avionics; Pear Targets US Healthcare

CoinbaseCartel claimed Panasonic Avionics, Pear ransomware hit two US healthcare providers, and six groups posted victims across multiple sectors and countries.
Table of Contents
    Add a header to begin generating the table of contents

    Four ransomware groups and one exfiltration actor posted new victims across a two-day window, with CoinbaseCartel claiming Panasonic Avionics Corporation on its dark web leak site, the newly observed Pear ransomware group listing two US healthcare providers, and RansomHouse adding UK-based Fidelity Services Group. DragonForce contributed six additional victims spanning the United States, Mexico, South Africa, Botswana, and the United Kingdom. Ransomware.live confirmed all listings through direct dark web source monitoring; no victim organization had publicly confirmed an incident as of the brief’s compilation.

    CoinbaseCartel’s Panasonic Avionics Claim and Pear Ransomware’s Healthcare Dual Listing

    CoinbaseCartel posted “PanasonicAero” to its dark web leak site on July 15 — identified as Panasonic Avionics Corporation, the California-based subsidiary of Panasonic Corporation that supplies in-flight entertainment systems, connectivity infrastructure, and cockpit communications equipment to major commercial airlines worldwide. The group disclosed no ransom amount in the listing. Panasonic Avionics’ role as a supplier to commercial aviation operations gives its compromise potential significance beyond the data exposure itself — attackers with access to avionics supplier networks may reach designs, software, or maintenance documentation for systems in active flight operations.

    Ransomware attacks against aviation-sector supply chain companies attract particular scrutiny because safety-critical systems and sensitive operational data flow through avionics infrastructure. Panasonic Avionics is distinct from Panasonic Corporation’s broader consumer electronics and enterprise businesses, focusing specifically on the airborne segment.

    Pear Ransomware’s First Documented Healthcare Dual Listing: Carient Heart & Vascular and South Plains Rural Health Services

    Pear ransomware — a group not previously documented in these briefs — made its first observed appearance with simultaneous listings for two US healthcare providers. Carient Heart & Vascular is a cardiovascular specialty medical practice. South Plains Rural Health Services, Inc. is a rural healthcare provider serving communities in West Texas.

    The healthcare dual-listing on Pear’s debut indicates an operational group with active encryption or exfiltration capabilities, not a new actor that has registered a site without conducting attacks. The targeting of a rural healthcare provider is consistent with the established pattern of ransomware groups focusing on smaller regional healthcare organizations where IT resources are limited and operational disruption has direct patient care consequences — rural and specialty providers frequently serve patient populations with fewer alternative care options in their area.

    Pear’s simultaneous listing of two victims in different healthcare sub-sectors — cardiology specialty care and rural primary care — on the group’s first publicly observed activity suggests either concurrent attack operations or a batch-release approach to victim disclosure.

    RansomHouse Claims Fidelity Services Group; DragonForce Lists Six Victims Across Five Countries

    RansomHouse added UK-based Fidelity Services Group to its leak site on July 15. Fidelity Services Group is a private security services company operating across the United Kingdom. RansomHouse’s documented operational pattern focuses on data exfiltration and threatening publication of stolen material rather than deploying encryption ransomware — making the listing a data exposure threat rather than a systems-encryption incident, though both produce significant organizational impact.

    DragonForce posted six victims in a batch spanning the United States, Mexico, South Africa, Botswana, and the United Kingdom. The US victims include Heritage Mechanical LLC, a manufacturing company; ASIMAR; Stephens Precision; Hughes Atwood & Mullaly PLLC, a law firm; and Shillen Mackall & Seldon, also a law firm. The international listing is Isegen South Africa (Pty) Ltd, a South African chemical manufacturer. DragonForce has maintained consistent activity across multiple listing batches throughout the preceding weeks, with this batch extending its victim geography to Botswana alongside South Africa and the UK.

    What the July 15–16 Batch Signals About Ransomware Group Operational Tempo

    The concentration of multiple distinct ransomware actors posting victims within a 48-hour window is consistent with a pattern of high operational tempo observed across the ransomware ecosystem throughout June and July 2026. The batch spans aviation supply chain, cardiovascular specialty care, rural healthcare, UK private security, manufacturing, professional services law firms, and chemical manufacturing — a cross-sector spread that reflects opportunistic targeting by groups with no shared vertical focus rather than a coordinated campaign.

    The appearance of Pear ransomware as a new group with immediate operational activity is a recurring dynamic in the ransomware ecosystem: new group identities may represent entirely new actors, splinter factions from existing groups, or rebrands from actors seeking to reset law enforcement attention. The healthcare dual-listing as a debut move increases the probability that Pear is an operational group with existing capabilities rather than a new entrant building toward its first attack.

    Qilin also listed a victim in the same batch: International Delights, a US food and beverage company. Qilin has maintained consistent listing activity across prior weeks, and the International Delights listing extends the group’s documented reach into the consumer food sector.

    Related Posts