On this page
0. TL;DR
- Ransom-ISAC case study: a US county paid ~$1M to data-theft extortion actor Kairos — no encryptor was ever deployed. Ransom-ISAC published a case study of "Kairos", a data-theft-only extortion actor that exfiltrated ~2 TB / ~1.6M files from a small US county government and was paid ~$1M in June 2025 without ever deploying a ransomware encryptor. Kairos claimed initial access via a brute-force credential attack; no locker binary has been obtained or confidently linked to the group, and Ransom-ISAC warns the actor's "proof of deletion" was not technically verifiable. The case is a reminder that pure-exfiltration extortion evades encryption-centric ransomware detection. →
1. Active Threats, Trending Actors, Notable Incidents & Disclosures
No qualifying items in window — this section is intentionally left empty.
2. Trending Vulnerabilities
No qualifying items in window — this section is intentionally left empty.
3. Research & Investigative Reporting
Kairos data-theft-only extortion — a US county paid ~$1M with no ransomware encryptor ever recovered
Ransom-ISAC has published a post-incident case study reconstructing a data-theft extortion case against a small US county government body, in which the victim paid roughly $1M after a May 2025 intrusion (Ransom-ISAC, 2026-07-03; The Hacker News, 2026-07-04). The distinguishing feature of the actor, self-styled "Kairos", is that it is a pure data-theft-and-leak extortion operation — Ransom-ISAC states "No ransomware sample, encryptor, or locker binary has been obtained or confidently linked to Kairos", so its leverage rested entirely on the threat to publish stolen data rather than on file encryption (Ransom-ISAC, 2026-07-03). Kairos itself claimed the intrusion was achieved through a brute-force credential attack — "We accessed your network using a bruteforce attack" — mapping to T1110 Brute Force and T1078 Valid Accounts; the report does not independently confirm the access method beyond the actor's own statement (Ransom-ISAC, 2026-07-03).
Kairos claimed access to more than 2 TB of data — approximately 1.6 million files — and exfiltrated it for leak-site leverage (T1567 Exfiltration Over Web Service); after roughly a month of negotiation the victim paid about $1M on 13 June 2025 (Ransom-ISAC, 2026-07-03; Security Affairs, 2026-07-04). Ransom-ISAC explicitly cautions that "The provided 'proof of deletion' was not technically verifiable and should not be treated as evidence that the stolen data was destroyed", noting there was nothing cryptographically binding the actor's deletion log to an actual deletion event (Ransom-ISAC, 2026-07-03).
We accessed your network using a bruteforce attack.
No ransomware sample, encryptor, or locker binary has been obtained or confidently linked to Kairos
The provided 'proof of deletion' was not technically verifiable and should not be treated as evidence that the stolen data was destroyed
4. Updates to Prior Coverage
No qualifying items in window — this section is intentionally left empty.
5. Deep Dive
No qualifying items in window — this section is intentionally left empty.
6. Action Items
- Hunt for repeated authentication failures against shared / service accounts followed by a single success (T1110.001 / T1110.003) on externally reachable RDP, VPN, webmail and AD FS endpoints; enforce MFA on any exposed account that still lacks it.FindingRansom-ISAC case study: a US county paid ~$1M to…
- Tune extortion detection to large abnormal outbound transfers and unusual access to sensitive file shares — encryption-centric ransomware telemetry (mass file rename, entropy spikes) will not fire on data-theft-only extortion.FindingRansom-ISAC case study: a US county paid ~$1M to…
- Record in incident-response and legal negotiation playbooks that a threat actor's 'proof of deletion' is not technically verifiable — paid extortion must never be treated as guaranteed data destruction.FindingRansom-ISAC case study: a US county paid ~$1M to…
7. Verification Notes
2026-07-05T0009Z-intel — Anthropic Claude (specific model not determined) · window 14 h · 1 entry published
Verification & coverage notes
Standard-window intel run (gap 12 h since the 2026-07-04T12:09Z fire; window_hours=14, opening ~2026-07-04T10:09Z). All four research sub-agents (S1–S4) swept their full essential + rotation slices and returned a combined 1 in-window candidate, which was composed into a single research entry. The home-region/sector lens (S2), the active-threats/vulns lens (S1) and the research lens (S3) were all genuinely quiet for the window — every CVE / advisory / report surfaced (CVE-2026-45659 SharePoint, CVE-2026-48558 SimpleHelp, CVE-2026-8451 Citrix NetScaler, CVE-2026-8037 Kemp LoadMaster, CVE-2026-20230 Cisco Unified CM, Argo CD unauth RCE, CVE-2026-46242 "Bad Epoll" Linux LPE, FatFs disclosures; ChocoPoC RAT, Huntress Azure CLI ROPC research, OneConsult BravoX DACH ransomware, Dragos 2026 OT/ICS Year-in-Review) was either already in prior_coverage.json or had its freshest source published before the window boundary with no in-window delta.
- Included (1):
kairos-data-theft-extortion-case-us-county-govt-1m-payout(research, notable) — Ransom-ISAC case study of the "Kairos" data-theft-only extortion actor. Org-relevance (PD-11d): substantive primary analysis of an actor model plus a detection-model gap (pure-exfiltration extortion evades encryption-centric ransomware telemetry) with transferable hunt / negotiation lessons for CH/EU public-sector SOCs. Genuinely new — nokairoskey in the registry, not in prior coverage. - Recency note (transparency): the Ransom-ISAC primary is dated 2026-07-03 (~21 h before the window start), but the item was surfaced/syndicated in-window by The Hacker News (2026-07-04T12:47Z) and Security Affairs (2026-07-04T16:53Z) — the freshest available source is in-window, so it clears the recency gate on the freshest-source rule.
event_date: 2025-05-19records the underlying incident so the reader is not misled about the age of the events described. - Spot-check corrections (PD-1 anti-embellishment): main-agent WebFetch of the Ransom-ISAC primary confirmed the publication date and claims (data-theft-only / no encryptor, ~2 TB / ~1.6 M files, ~$1 M paid 2025-06-13, the brute-force quote, the non-verifiable "proof of deletion"). Three corrections were applied before composing: (a) the brute-force access is Kairos's own claim, not independently verified — framed as such, not as fact; (b) the primary does not confirm "no MFA / no VPN" — dropped as a stated fact, the MFA point reframed as a defender recommendation; (c) the primary names only "a small US county government body" and does not confirm Union County, Ohio — the victim is kept vague; blockchain-tracing / SBU-seizure / exact-BTC-split specifics were not confirmed in the spot-check and were omitted.
- Single-source: none — the Kairos entry is
verification: multi-source(Ransom-ISAC primary + Security Affairs + The Hacker News). - Dropped: FBI/TeamPCP supply-chain credential-theft (Security Affairs 2026-07-04T07:55Z) — out-of-window (before the 10:09Z boundary) and overlaps the already-covered npm supply-chain-worm campaign; ChocoPoC RAT / Huntress Azure CLI ROPC / OneConsult BravoX / Dragos 2026 YiR — out-of-window (2026-07-01/-02 / 2026-06-29 / 2026-02-17), no in-window delta.
- New candidate source (1, cap respected):
ransom-isacadded ascandidate. - Coverage gaps: cisa-advisories, cisa-directives (403 on the listing-page bridge recipe — KEV API endpoint substituted for exploitation ground-truth; the HTML listing pages still need a working sub-path recipe); cisa-news, industrialcyber-co, inside-it-ch (403, no working bridge recipe this run — recipe check recommended for inside-it-ch which now 403s both feed and page); safeonweb-be (200 but Drupal SPA shell, no parseable listing); prodaft, sans-newsbites (JS-rendered SPAs, no structured endpoint); ncsc-uk (200 but static curated-links block, freshest advisory 2026-06-22); cert-fr avis-recent (freshest 2026-06-26, stale); jpcert (freshest 2026-06-10, stale); shadowserver (feed 404 — recipe revalidation needed).
- Watchlist: not reported —
config/org-profile.yamlconfigures no product or supplier watchlists; S1/S4 sweep duties were no-ops. - Essential-coverage: cisa-advisories, cisa-directives missed (403 transport-block; KEV API substituted for the exploitation signal). All other essential sources (advisories-ncsc-nl, anssi-fr, bsi-de, cert-at, cert-eu, cert-pl, cisa-kev, enisa, ncsc-ch-focus, ncsc-ch-incidents, ncsc-ch-security-hub, ncsc-uk) were attempted and resolved.