ctipilot.ch

CTI Daily Brief — 2026-07-05

Typedaily
Date2026-07-05
Runs1 run
Entries1
On this page

0. TL;DR

  • Ransom-ISAC case study: a US county paid ~$1M to data-theft extortion actor Kairos — no encryptor was ever deployed. Ransom-ISAC published a case study of "Kairos", a data-theft-only extortion actor that exfiltrated ~2 TB / ~1.6M files from a small US county government and was paid ~$1M in June 2025 without ever deploying a ransomware encryptor. Kairos claimed initial access via a brute-force credential attack; no locker binary has been obtained or confidently linked to the group, and Ransom-ISAC warns the actor's "proof of deletion" was not technically verifiable. The case is a reminder that pure-exfiltration extortion evades encryption-centric ransomware detection.

3. Research & Investigative Reporting

Kairos data-theft-only extortion — a US county paid ~$1M with no ransomware encryptor ever recovered

notable research discovered 2026-07-05 00:25 UTC

Ransom-ISAC has published a post-incident case study reconstructing a data-theft extortion case against a small US county government body, in which the victim paid roughly $1M after a May 2025 intrusion (Ransom-ISAC, 2026-07-03; The Hacker News, 2026-07-04). The distinguishing feature of the actor, self-styled "Kairos", is that it is a pure data-theft-and-leak extortion operation — Ransom-ISAC states "No ransomware sample, encryptor, or locker binary has been obtained or confidently linked to Kairos", so its leverage rested entirely on the threat to publish stolen data rather than on file encryption (Ransom-ISAC, 2026-07-03). Kairos itself claimed the intrusion was achieved through a brute-force credential attack — "We accessed your network using a bruteforce attack" — mapping to T1110 Brute Force and T1078 Valid Accounts; the report does not independently confirm the access method beyond the actor's own statement (Ransom-ISAC, 2026-07-03).

Kairos claimed access to more than 2 TB of data — approximately 1.6 million files — and exfiltrated it for leak-site leverage (T1567 Exfiltration Over Web Service); after roughly a month of negotiation the victim paid about $1M on 13 June 2025 (Ransom-ISAC, 2026-07-03; Security Affairs, 2026-07-04). Ransom-ISAC explicitly cautions that "The provided 'proof of deletion' was not technically verifiable and should not be treated as evidence that the stolen data was destroyed", noting there was nothing cryptographically binding the actor's deletion log to an actual deletion event (Ransom-ISAC, 2026-07-03).

We accessed your network using a bruteforce attack.

Kairos (quoted by Ransom-ISAC)

No ransomware sample, encryptor, or locker binary has been obtained or confidently linked to Kairos

The provided 'proof of deletion' was not technically verifiable and should not be treated as evidence that the stolen data was destroyed

Ransom-ISAC 2026-07-03
organized-crime data-breach us

4. Updates to Prior Coverage

No qualifying items in window — this section is intentionally left empty.

5. Deep Dive

No qualifying items in window — this section is intentionally left empty.

6. Action Items

7. Verification Notes

2026-07-05T0009Z-intel — Anthropic Claude (specific model not determined) · window 14 h · 1 entry published

Verification & coverage notes

Standard-window intel run (gap 12 h since the 2026-07-04T12:09Z fire; window_hours=14, opening ~2026-07-04T10:09Z). All four research sub-agents (S1–S4) swept their full essential + rotation slices and returned a combined 1 in-window candidate, which was composed into a single research entry. The home-region/sector lens (S2), the active-threats/vulns lens (S1) and the research lens (S3) were all genuinely quiet for the window — every CVE / advisory / report surfaced (CVE-2026-45659 SharePoint, CVE-2026-48558 SimpleHelp, CVE-2026-8451 Citrix NetScaler, CVE-2026-8037 Kemp LoadMaster, CVE-2026-20230 Cisco Unified CM, Argo CD unauth RCE, CVE-2026-46242 "Bad Epoll" Linux LPE, FatFs disclosures; ChocoPoC RAT, Huntress Azure CLI ROPC research, OneConsult BravoX DACH ransomware, Dragos 2026 OT/ICS Year-in-Review) was either already in prior_coverage.json or had its freshest source published before the window boundary with no in-window delta.

  • Included (1): kairos-data-theft-extortion-case-us-county-govt-1m-payout (research, notable) — Ransom-ISAC case study of the "Kairos" data-theft-only extortion actor. Org-relevance (PD-11d): substantive primary analysis of an actor model plus a detection-model gap (pure-exfiltration extortion evades encryption-centric ransomware telemetry) with transferable hunt / negotiation lessons for CH/EU public-sector SOCs. Genuinely new — no kairos key in the registry, not in prior coverage.
  • Recency note (transparency): the Ransom-ISAC primary is dated 2026-07-03 (~21 h before the window start), but the item was surfaced/syndicated in-window by The Hacker News (2026-07-04T12:47Z) and Security Affairs (2026-07-04T16:53Z) — the freshest available source is in-window, so it clears the recency gate on the freshest-source rule. event_date: 2025-05-19 records the underlying incident so the reader is not misled about the age of the events described.
  • Spot-check corrections (PD-1 anti-embellishment): main-agent WebFetch of the Ransom-ISAC primary confirmed the publication date and claims (data-theft-only / no encryptor, ~2 TB / ~1.6 M files, ~$1 M paid 2025-06-13, the brute-force quote, the non-verifiable "proof of deletion"). Three corrections were applied before composing: (a) the brute-force access is Kairos's own claim, not independently verified — framed as such, not as fact; (b) the primary does not confirm "no MFA / no VPN" — dropped as a stated fact, the MFA point reframed as a defender recommendation; (c) the primary names only "a small US county government body" and does not confirm Union County, Ohio — the victim is kept vague; blockchain-tracing / SBU-seizure / exact-BTC-split specifics were not confirmed in the spot-check and were omitted.
  • Single-source: none — the Kairos entry is verification: multi-source (Ransom-ISAC primary + Security Affairs + The Hacker News).
  • Dropped: FBI/TeamPCP supply-chain credential-theft (Security Affairs 2026-07-04T07:55Z) — out-of-window (before the 10:09Z boundary) and overlaps the already-covered npm supply-chain-worm campaign; ChocoPoC RAT / Huntress Azure CLI ROPC / OneConsult BravoX / Dragos 2026 YiR — out-of-window (2026-07-01/-02 / 2026-06-29 / 2026-02-17), no in-window delta.
  • New candidate source (1, cap respected): ransom-isac added as candidate.
  • Coverage gaps: cisa-advisories, cisa-directives (403 on the listing-page bridge recipe — KEV API endpoint substituted for exploitation ground-truth; the HTML listing pages still need a working sub-path recipe); cisa-news, industrialcyber-co, inside-it-ch (403, no working bridge recipe this run — recipe check recommended for inside-it-ch which now 403s both feed and page); safeonweb-be (200 but Drupal SPA shell, no parseable listing); prodaft, sans-newsbites (JS-rendered SPAs, no structured endpoint); ncsc-uk (200 but static curated-links block, freshest advisory 2026-06-22); cert-fr avis-recent (freshest 2026-06-26, stale); jpcert (freshest 2026-06-10, stale); shadowserver (feed 404 — recipe revalidation needed).
  • Watchlist: not reported — config/org-profile.yaml configures no product or supplier watchlists; S1/S4 sweep duties were no-ops.
  • Essential-coverage: cisa-advisories, cisa-directives missed (403 transport-block; KEV API substituted for the exploitation signal). All other essential sources (advisories-ncsc-nl, anssi-fr, bsi-de, cert-at, cert-eu, cert-pl, cisa-kev, enisa, ncsc-ch-focus, ncsc-ch-incidents, ncsc-ch-security-hub, ncsc-uk) were attempted and resolved.