On May 20, 2026, the Pear ransomware group publicly claimed responsibility for a cyberattack against Exchange Group (exg.ca), a Manitoba-based accounting and consulting firm. The threat actors assert they have exfiltrated sensitive data from the organization's network and have issued a public ultimatum: engage in negotiations or face full disclosure of the stolen material. The claim was surfaced by threat intelligence firm DeXpose on May 21, 2026.
What Happened
Pear ransomware operators listed Exchange Group on their data leak site, accompanied by a statement reading: "We have infiltrated Exchange Group's network, acquiring sensitive data. Full disclosure will occur if no contact is made." This is a textbook double-extortion playbook. The group is leveraging the threat of public data exposure as primary leverage, indicating exfiltration occurred before or alongside any encryption activity. Exchange Group has not yet issued a public statement regarding the claim, and the firm's website remained operational at the time of reporting.
What Was Taken
Pear has not yet published samples or a full inventory of the allegedly stolen data, which is consistent with the initial pressure phase of a double-extortion campaign. Given Exchange Group's role as an accounting and consulting firm, the data at risk likely includes:
- Client financial records, tax filings, and accounting workpapers
- Personally identifiable information (PII) of clients and employees
- Corporate banking details, payroll data, and audit documentation
- Confidential consulting engagements and internal communications
- Vendor contracts and third-party financial information
The exposure of accounting-firm data carries amplified downstream risk: a single firm typically holds privileged financial records for dozens or hundreds of corporate and individual clients, turning one breach into a multi-victim incident.
Why It Matters
Accounting and consulting firms have become a recurring target for ransomware affiliates because they sit at a high-trust, high-value chokepoint in the supply chain. A successful intrusion offers attackers immediate monetization options (tax fraud, wire fraud, business email compromise) and significant extortion leverage tied to regulatory and reputational fallout. For Canadian organizations, this incident also reinforces that mid-sized regional firms outside major metro centers are not flying under the radar of ransomware crews. Pear's targeting reflects the broader trend of opportunistic actors prioritizing firms with strong cash flow, weak segmentation, and rich client data.
The Attack Technique
Initial access vectors have not been disclosed by either Pear or Exchange Group. Pear, a relatively newer entrant on the ransomware scene, has historically been observed leveraging common initial access tradecraft seen across mid-tier extortion crews: phishing emails delivering loader malware, exploitation of unpatched perimeter appliances (VPN, RDP, edge devices), and the purchase of valid credentials harvested by infostealer malware from underground markets. Once inside, double-extortion operators typically conduct internal reconnaissance, escalate privileges via Active Directory misconfigurations, and exfiltrate large data sets to cloud storage services before triggering encryption.
What Organizations Should Do
- Conduct a compromise assessment focused on identifying lateral movement, persistence mechanisms, and exfiltration channels, especially if your organization shares infrastructure or services with Exchange Group.
- Validate offline, immutable backups and rehearse restoration. Backups that cannot be reached, encrypted, or deleted by an attacker are the single highest-value control against ransomware.
- Hunt for infostealer-sourced credentials tied to your domain on dark web markets and rotate any exposed credentials immediately. Most ransomware intrusions begin with a credential purchased for under $20.
- Enforce phishing-resistant multi-factor authentication on all external access points, including VPN, email, and remote administration tools.
- Segment the network to limit blast radius. Accounting platforms, file shares, and backup infrastructure should not be reachable from standard user workstations.
- Engage qualified incident response counsel and a DFIR firm before any communication with the threat actor. Negotiation, ransom payment, and disclosure obligations carry significant legal and regulatory weight, particularly under Canadian privacy law (PIPEDA) and provincial breach notification rules.