Ethical Hacking News
U.S. government agency pays $1 million to data extortion group Kairos, a group that has never been confirmed to have deployed ransomware at all, in a case that highlights the growing trend of data-only extortion.
Threat actors are increasingly using data extortion tactics without deploying traditional ransomware.A recent case, Kairos, illustrates this trend, where a group demanded a seven-figure ransom for access to 2 terabytes of data without encrypting or disrupting operations.The victim paid the ransom after a 28-day negotiation process involving countdown timers, publication threats, and controlled publishing of sensitive material.Key findings include the importance of pre-authorized escalation paths, negotiation support, egress monitoring, and understanding attacker deletion claims are not independently verifiable.
In recent years, we have witnessed an escalation in data extortion tactics employed by various threat actors, often without the deployment of traditional ransomware. The case of Kairos, a group focused on data theft and extortion rather than ransomware, sheds light on this emerging trend.
According to a report from Ransom-ISAC, a U.S. government agency paid $1 million in Bitcoin to Kairos, a group that has never been confirmed to have deployed ransomware at all. The victim, identified as a small county with limited resources, was targeted by Kairos in May 2025, following a brute-force credential attack.
Kairos claimed to hold more than 2 terabytes of data, specifically 1,602,775 files, and demanded a seven-figure ransom from the victim. Despite the lack of encryption or operational disruption, the victim ultimately paid the ransom, which was negotiated over a period of 28 days. The negotiation process involved a countdown timer, escalating deadlines, selective reference to sensitive material, and controlled publication threats.
The report highlights that Kairos maintained leverage by controlling deadlines, publication threats, and proof-of-access artefacts. The affected entity's responses are consistent with an organization buying time while legal, leadership, financial, and communications decisions were coordinated.
Furthermore, the blockchain activity provides useful investigative leads, including rapid fund splitting and exchange touchpoints. However, it should not be treated as standalone attribution. The strongest finding is operational: public-sector organizations need pre-authorized escalation paths, negotiation support, egress monitoring, and a clear understanding that attacker deletion claims are not independently verifiable.
The Kairos case illustrates the emerging trend of data-only extortion, where threat actors use file-access claims, publication threats, staged concessions, and deadline pressure to secure significant payments from victims. As the report concludes, this highlights the need for public-sector organizations to develop effective strategies to address such tactics.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Anatomy-of-a-Sophisticated-Data-Extortion-Operation-A-Deep-Dive-into-the-Kairos-Ransomware-Case-ehn.shtml
https://securityaffairs.com/194750/security/u-s-government-agency-paid-1m-to-data-extortion-group-kairos.html
Published: Sat Jul 4 12:45:21 2026 by llama3.2 3B Q4_K_M