ForumsSecurityExtortion Without Encryption: The Kairos $1M Government Case

Extortion Without Encryption: The Kairos $1M Government Case

BlueTeam_Alex 7/5/2026 USER

Just caught the Ransom-ISAC case study on the Kairos situation. It’s wild that a U.S. government entity paid out ~$1 million to a group that didn't even deploy ransomware. This confirms a trend we've been seeing: "pure" extortion where the encryption step is skipped entirely to reduce the attacker's footprint and speed up the process.

Since there was no locker, traditional AV/EDR signatures for ransomware might have missed this if the attackers used LOLbins or custom tools for exfil. The Rakesh Krishnan write-up mentions they tracked the payment via the blockchain trail, but the initial vector is the concerning part.

If you are looking to hunt for similar data-theft extortion activity on your endpoints, focus on unexpected file transfer activity. Here is a basic KQL query to hunt for high-volume egress from common utilities often abused for staging:

DeviceProcessEvents
| where FileName in~ ("rclone.exe", "winscp.exe", "curl.exe", "powershell.exe")
| where ProcessCommandLine contains_any ("upload", "sync", "put", "publish")
| join kind=inner (DeviceNetworkEvents
| where ActionType == "ConnectionAllowed"
| where RemotePort in (443, 22)) on DeviceId
| project Timestamp, DeviceName, FileName, ProcessCommandLine, RemoteUrl, RemoteIP
| order by Timestamp desc

Does anyone have experience negotiating with groups that don't encrypt? It feels like the leverage is lower since operations aren't technically halted, but the public reputation risk clearly drives the payout.

MD
MDR_Analyst_Chris7/5/2026

The shift away from encryption makes sense from the attacker's perspective—less chance of triggering 'shutdown' procedures and easier to stay under the radar. In our SOC, we've shifted focus to DLP anomalies rather than just waiting for BitLocker alerts. The scary part is that without the encryption 'kick' that wakes up the user, these breaches can go undetected for months.

ZE
ZeroTrust_Hannah7/5/2026

We had a similar incident last year, though on a much smaller scale. The group skipped the ransomware and just sent us proof of exfiltrated PII. We refused to pay, and they leaked it. The recovery cost was almost entirely legal/PR, not IT restoration. It changes the calculus; paying doesn't get your systems back, it just buys silence. Silence is expensive, but is it worth $1M?

CO
Compliance_Beth7/5/2026

Good catch on the LOLbins angle. If they aren't packing a ransomware binary, they are likely living off the land to move data. I'd add monitoring for unsigned binaries writing to temp directories and then immediately being read by network processes. This is classic staging behavior that often flies under the radar if you're only looking for malicious execution.

PH
PhysSec_Marcus7/5/2026

This highlights the need for behavioral network analysis. Since they aren't encrypting files on disk, we can't rely on static IOCs. Instead, look for anomalies in SMB connections or sudden spikes in upload traffic to cloud storage. We started hunting for powershell.exe initiating web requests, a common exfil method. You can hunt for this with KQL:

ProcessCreate
| where FileName =~ "powershell.exe"
| where CommandLine contains "Invoke-WebRequest" or CommandLine contains "IEX"

This helps catch the staging phase before data leaves the perimeter.

PH
PhishFighter_Amy7/5/2026

Agreed, the pivot to pure extortion changes the game. Since they likely gained initial access via phishing to avoid binary detection, don't overlook outbound email rules. Attackers often configure these to silently exfiltrate data before the SOC catches the network traffic.

Here is a quick KQL hunt for suspicious rule creation:

DeviceEvents
| where ActionType == "EmailRuleCreated"
| project DeviceName, AccountName, AdditionalFields
SO
SOC_Analyst_Jay7/5/2026

That’s a scary precedent. To catch the data staging phase, we monitor for system-native archiving tools spawning from user shells instead of admin paths. It’s a common sign of "zipping" data for exfil before it hits the network. Here’s a KQL query we use to hunt for suspicious WinRAR or 7-Zip activity:

Process
| where ProcessVersionInfoCompanyName in ('Alexander Roshal', 'Igor Pavlov')
| where InitiatingProcessAccountSid !contains 'S-1-5-21-500'
| project Timestamp, DeviceName, FileName, ProcessCommandLine
WH
whatahey7/7/2026

The lack of encryption definitely complicates detection since we lose the obvious file modification artifacts. It's crucial to monitor for data staging behaviors instead. We often see attackers compressing data rapidly before exfil. This KQL query helps detect suspicious, password-protected archive creation which is a common precursor:

DeviceProcessEvents 
| where FolderPath endswith "\7z.exe" or FolderPath endswith "\winrar.exe" 
| where ProcessCommandLine contains "-p" and ProcessCommandLine contains "a"
MS
MSP_Tech_Dylan7/8/2026

Don't overlook exfiltration via legitimate cloud APIs. Attackers often leverage massive personal cloud storage accounts to bypass traditional C2 detection. In our MSP stack, we monitor for high-volume uploads to consumer-grade providers. You can spot this in Sentinel with a simple query for anomalies in upload volume:

DeviceNetworkEvents
| where RemoteUrl contains 'drive.google.com' or RemoteUrl contains 'mega.nz'
| summarize SentBytes = sum(SentBytes) by DeviceName, bin(Timestamp, 1h)
| where SentBytes > 50000000

Verified Access Required

To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.

Request Access

Thread Stats

Created7/5/2026
Last Active7/8/2026
Replies8
Views58