Discussion: Kairos & the $1M 'Non-Ransomware' Payout
Has everyone caught the Ransom-ISAC case study on the 'Kairos' group? A US government entity paid them $1M, but here’s the kicker: Krishnan found zero evidence of encryption. This wasn't ransomware; it was pure data-theft extortion.
This changes the IOCs significantly. Without encryption processes (like LockBit or BlackCat binaries), EDR telemetry looking for mass file modifications won't trigger anything. The attack surface shifts entirely to credential theft (perhaps via session hijacking or phishing) and unauthorized access to file stores.
For SOC teams, we need to pivot our detection logic away from 'ransomware execution' to 'unusual data access.' If you're using Sentinel, try hunting for extortion keywords in your email gateways to catch the negotiation phase before the leak:
EmailEvents
| where Subject has "confidential" or Subject has "your data"
| where Body has "btc:" or Body has "monero:"
| where SenderFromAddress matches regex @".*\.onion"
| project Timestamp, Subject, SenderFromAddress, RecipientEmailAddress
The fact that they tracked the payment via the blockchain is the only forensic win here. But with no malware artifacts, attribution is going to be a nightmare. How are your teams handling the threat of pure extortion when there's no 'knock on the door' from ransomware processes?
This is terrifying. We spend millions on EDR to stop ransomware execution, but if they just exfiltrate via valid credentials, that money is wasted. I've started implementing strict DLP on our SharePoint and S3 buckets, assuming that identity is the new perimeter. If they can't get the data out, the extortion threat loses teeth.
The Kairos group likely operates more like a sophisticated business intelligence firm turned rogue. The blockchain analysis mentioned in the study showed them using standard exchanges before the payout, which implies they aren't fully op-sec mature on the laundering side yet. We need to watch for more 'name and shame' groups popping up that skip the malware coding step entirely—it's cheaper for them.
That’s exactly why relying solely on EDR is a gamble. We started hunting for 'data staging' behavior—large archive creation or compression activity—combined with network spikes. This query helped us catch a similar pattern recently looking for WinRAR usage coupled with outbound traffic:
DeviceProcessEvents
| where ProcessName endswith "\\winrar.exe"
| join kind=inner (DeviceNetworkEvents
| where ActionType == "ConnectionSuccess" and RemotePort in (443, 445))
on DeviceId
| summarize count() by DeviceName, AccountName
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access