Skip to content
Ransomware group

Kairos

Kairos is a cyber extortion actor active since late 2024 that is primarily associated with data-theft and leak-based coercion rather than confirmed file encryption.

Profile source: Mallory opens in a new tab

Kairos

Family profile

Kairos is a cyber extortion actor active since late 2024 that is primarily associated with data-theft and leak-based coercion rather than confirmed file encryption. The group operates a dedicated leak site and has been observed using staged disclosure, short response deadlines, and public shaming to pressure victims into paying to prevent publication of stolen data. Reporting consistently characterizes Kairos as a data-only extortion operation, and no ransomware encryptor, locker binary, or verified decryption capability has been confidently linked to the group.

Kairos has targeted organizations in multiple sectors and regions, including government and public-sector entities, healthcare-related organizations, and commercial victims. Public reporting links the group to extortion against a small U.S. county government in 2025, where the actor allegedly stole more than 2 TB of data and negotiated a seven-figure payment without demonstrated encryption. Victimology observed on leak-site tracking also indicates broader international activity, including incidents affecting organizations in Europe and Australia.

The group’s known tradecraft centers on credential-based intrusion and data exfiltration followed by extortion. In at least one well-documented case, Kairos claimed initial access via brute-force attacks against credentials. Its coercion model relies on countdowns, escalating deadlines, high-anchor ransom demands followed by concessions, and selective references to especially sensitive stolen material to increase pressure. Kairos has also been described as threatening wider notification of partners, customers, or other third parties if negotiations fail, reflecting a broader extortion-first model rather than operational disruption through encryption.

Kairos is reported to be active on Russian-language cybercrime forums but has not been conclusively tied to a larger known cluster or major parent operation. Some reporting states the group emerged around July 2024, while other tracking places first observation in November 2024; the available evidence supports activity beginning in the second half of 2024. Leak-site monitoring and industry reporting indicate the group claimed dozens of victims through 2025 and into 2026, with counts varying by observation date. Infrastructure associated with the operation was later reported seized by Ukraine’s Security Service cyber authorities.

Aliases are limited, with Kairos being the primary and most widely used name. Based on currently available evidence, Kairos is best understood as an extortion-focused cybercriminal actor specializing in exfiltration-and-leak pressure tactics rather than a confirmed traditional ransomware group.

Ransomware.live

Operational record

View group record ↗

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.