ctipilot.ch

Kairos

actor · actor:kairos-extortion single-source

Kairos — data-theft-only extortion actor; no ransomware encryptor or locker binary has been obtained or confidently linked to it. Leverage rests on the threat to publish exfiltrated data rather than on file encryption; documented retrospectively by Ransom-ISAC (2026-07-03) in a case study of a ~$1M payout by a small US county government.

Coverage timeline
5
first 2026-05-18 → last 2026-07-05
Entries
5
4 distinct days
Sources cited
10
9 hosts
Sections touched
4
active-threats, research, weekly-incidents-recap
Co-occurring entities
1
see Related entities below
2026-05-185 appearances2026-07-05

Story timeline

  1. 2026-07-05Kairos data-theft-only extortion — a US county paid ~$1M with no ransomware encryptor ever recovered
    researchRansom-ISAC case study: a US county paid ~$1M to data-theft extortion actor Kairos — no encryptor was ever deployed
  2. 2026-05-24Six German university hospitals lose ~97,600+ patient records to a breach at billing processor Unimed
    active-threatsSix German university hospitals lose ~97,600+ patient records to a breach at billing processor Unimed
  3. 2026-05-19ARWINI (Lower Saxony statutory-prescription audit body) — investigators confirm data exfiltration after 4 May intrusion; Kairos ransomware group claims 2.87 TB; ~70,000 GDPR Art. 9 records in scope
    active-threatsARWINI (Lower Saxony statutory-prescription audit body) — investigators confirm data exfiltration after 4 May intrusion; Kairos ransomware group claims 2.87
  4. 2026-05-18Healthcare (DACH) — the soft surface is the administrative intermediary, not the hospital
    weekly-sector-patternsHealthcare (DACH) — the soft surface is the administrative intermediary, not the hospital
  5. 2026-05-18ARWINI (Lower Saxony prescription-audit body) — exfiltration confirmed; Kairos claims 2.87 TB including ~70,000 GDPR Art. 9 records
    weekly-incidents-recapARWINI (Lower Saxony prescription-audit body) — exfiltration confirmed; Kairos claims 2.87 TB including ~70,000 GDPR Art. 9 records

Where this entity is cited

  • active-threats2
  • weekly-incidents-recap1
  • weekly-sector-patterns1
  • research1

Source distribution

  • heise.de2 (20%)
  • aerzteblatt.de1 (10%)
  • borncity.com1 (10%)
  • ransom-isac.org1 (10%)
  • securityaffairs.com1 (10%)
  • thehackernews.com1 (10%)
  • therecord.media1 (10%)
  • uk-koeln.de1 (10%)
  • other1 (10%)

Related entities

All cited sources (10)

Entries about Kairos (5)

2026-07-05 · view entry permalink →

Kairos data-theft-only extortion — a US county paid ~$1M with no ransomware encryptor ever recovered

notable research discovered 2026-07-05 00:25 UTC

Ransom-ISAC has published a post-incident case study reconstructing a data-theft extortion case against a small US county government body, in which the victim paid roughly $1M after a May 2025 intrusion (Ransom-ISAC, 2026-07-03; The Hacker News, 2026-07-04). The distinguishing feature of the actor, self-styled "Kairos", is that it is a pure data-theft-and-leak extortion operation — Ransom-ISAC states "No ransomware sample, encryptor, or locker binary has been obtained or confidently linked to Kairos", so its leverage rested entirely on the threat to publish stolen data rather than on file encryption (Ransom-ISAC, 2026-07-03). Kairos itself claimed the intrusion was achieved through a brute-force credential attack — "We accessed your network using a bruteforce attack" — mapping to T1110 Brute Force and T1078 Valid Accounts; the report does not independently confirm the access method beyond the actor's own statement (Ransom-ISAC, 2026-07-03).

Kairos claimed access to more than 2 TB of data — approximately 1.6 million files — and exfiltrated it for leak-site leverage (T1567 Exfiltration Over Web Service); after roughly a month of negotiation the victim paid about $1M on 13 June 2025 (Ransom-ISAC, 2026-07-03; Security Affairs, 2026-07-04). Ransom-ISAC explicitly cautions that "The provided 'proof of deletion' was not technically verifiable and should not be treated as evidence that the stolen data was destroyed", noting there was nothing cryptographically binding the actor's deletion log to an actual deletion event (Ransom-ISAC, 2026-07-03).

We accessed your network using a bruteforce attack.

Kairos (quoted by Ransom-ISAC)

No ransomware sample, encryptor, or locker binary has been obtained or confidently linked to Kairos

The provided 'proof of deletion' was not technically verifiable and should not be treated as evidence that the stolen data was destroyed

Ransom-ISAC 2026-07-03
organized-crime data-breach us

2026-05-24 · view entry permalink →

Six German university hospitals lose ~97,600+ patient records to a breach at billing processor Unimed

high incident discovered 2026-05-24 05:00 UTC

Unimed, a Saarland-based billing-service provider that handles private-insurance and self-payer invoicing for an estimated 95% of German university hospitals, was breached in mid-April 2026; attackers exfiltrated patient data and an attempted full encryption of Unimed's infrastructure was reportedly averted (heise online, 2026-05-22). On 2026-05-21 at least six state-funded Universitätsklinikum hospitals — Cologne, Freiburg, Heidelberg, Tübingen, Ulm and Mannheim — disclosed that their patients' data was among the stolen records (The Record, 2026-05-22). University Hospital Freiburg states master data for ~54,000 patients (names, addresses, dates of birth) was taken, with billing records for ~900 patients additionally exposing diagnoses and treatment methods, and bank-account data in a small number of those cases (Uniklinik Freiburg, 2026-05-21); Cologne reports ~30,000 affected (Uniklinik Köln, 2026-05-21). The exposed categories include GDPR Article 9 special-category health data (diagnoses, treatment codes) and financial data (IBANs). Attribution is open: heise states it is "not yet known who is responsible" for the Unimed attack, and The Record likewise reports no actor had publicly claimed responsibility at its publication. The intrusion does rhyme with the earlier ARWINI Lower-Saxony statutory-billing breach (covered 2026-05-19) — which the Hannover Police Directorate attributed to the Kairos ransomware group per heise — but that resemblance is an analyst pattern-overlap, not a sourced attribution of the Unimed breach.

ransomware data-breach supply-chain dach europe

2026-05-19 · view entry permalink →

ARWINI (Lower Saxony statutory-prescription audit body) — investigators confirm data exfiltration after 4 May intrusion; Kairos ransomware group claims 2.87 TB; ~70,000 GDPR Art. 9 records in scope

high incident discovered 2026-05-19 05:00 UTC

Investigators confirmed on 2026-05-18 that the cyberattack on ARWINI — the Arbeitsgemeinschaft Wirtschaftlichkeitsprüfung Niedersachsen e.V., which audits prescription cost-effectiveness for statutory-health-insurance (GKV) patients in Lower Saxony via data exchange with Kassenärztliche Vereinigung Niedersachsen (KVN), AOK and other insurers — resulted in confirmed exfiltration of personal data (Deutsches Ärzteblatt, 2026-05-18; Heise Security, 2026-05-18). Intrusion signs were detected on ARWINI servers on 2026-05-04 and all systems were shut down on the same day; ARWINI's own statement, cited by Borns IT Blog on 2026-05-16, said particularly sensitive personal data (besondere Kategorien — GDPR Art. 9) are likely affected, with health and billing data on ≥70,000 patients in scope (Borns IT Blog, 2026-05-16). The Polizeidirektion Hannover is the investigating authority; the Landesbeauftragter für Datenschutz Niedersachsen (LfD) and BSI have been notified under the GDPR 72-hour rule and the German KRITIS / NIS2UmsuCG framework. Heise reports the Kairos ransomware group has claimed the attack and is threatening to sell approximately 2.87 TB of stolen data on its leak site, with attackers' leak-site claim dated 2026-05-11. The technical pattern is consistent with double-extortion ransomware now in the operator-leak-site phase.

Why it matters to us: GKV bodies and their mandated third-party auditors are NIS2 entities; the supply-chain relationship between KVN/AOK and ARWINI is precisely the data-processor scope hit by NMDL/IGJ in the Netherlands (covered 2026-05-14). Defender pattern: any GKV / AHV / cantonal health-insurance data-exchange counterparty should be inventoried as an in-scope critical-supplier under §8b BSI-Gesetz / NIS2UmsuCG, with breach-notification playbooks rehearsed for the 72-hour GDPR clock from a third party's detection event, not just one's own. Monitor for downstream phishing using GKV billing-data lures targeting affected patient cohorts.

Nach dem Cyberangriff auf einen Wirtschaftsprüfverein des Gesundheitswesens bestätigen Ermittler einen Datenabfluss

Heise Security

Laut ARWINI ist es wahrscheinlich, dass personenbezogene und besonders schützenswerte Daten betroffen sind

Borns IT Blog citing ARWINI

Kairos ransomware group has claimed the attack

Heise Security
ransomware data-breach dach europe

2026-05-18 · view entry permalink →

ARWINI (Lower Saxony prescription-audit body) — exfiltration confirmed; Kairos claims 2.87 TB including ~70,000 GDPR Art. 9 records

notable incident discovered 2026-05-18 05:00 UTC single-source

Investigators confirmed on 2026-05-18 that the cyberattack on ARWINI — the body that audits prescription cost-effectiveness for statutory health insurers in Lower Saxony — exfiltrated data after a 4 May intrusion. The Kairos ransomware group claims 2.87 TB, with roughly 70,000 special-category (Art. 9) health records in scope. This is the second DACH healthcare-adjacent data-theft event of the window after Unimed, reinforcing that the sector's softest surfaces are the administrative and audit intermediaries, not the hospitals' clinical systems.

ransomware data-breach dach europe

2026-05-18 · view entry permalink →

Healthcare (DACH) — the soft surface is the administrative intermediary, not the hospital

high synthesis discovered 2026-05-18 05:00 UTC

Two DACH healthcare data-theft events this window both hit intermediaries rather than clinical systems: the Unimed billing processor (exposing patient records across at least six German university hospitals) and ARWINI, the Lower Saxony prescription-audit body (Kairos claims 2.87 TB including ~70,000 Art. 9 records) — both detailed in § 5. The pattern for Swiss and German healthcare CISOs is concentration risk in the back-office tier: billing, audit, lab and imaging processors aggregate patient data from many providers and become a single high-value, lower-defended target. Inventory which processors hold your Art. 9 data and confirm each one's breach-notification SLA and security attestation.

ransomware data-breach supply-chain dach europe