kairos

Firma de detección defensiva para este grupo (úsala en tu EDR/SIEM). Fuente: ransomware.live.

/*
Kairos ransomware
*/

rule Kairos_Ransomnote
{
    meta:
        author = "ransomware.live"
        family = "ransomware.kairos"
        description = "Detects Kairos ransomware ransom note"
        date = "2026-05-04"
        severity = 7
        score = 70

    strings:
        $s1 = "Kairos" ascii nocase
        $s2 = "KAIROS" ascii
        $s3 = "kairos.onion" ascii nocase

    condition:
        any of them
}

██╗░░██╗░█████╗░██╗██████╗░░█████╗░░██████╗
██║░██╔╝██╔══██╗██║██╔══██╗██╔══██╗██╔════╝
█████═╝░███████║██║██████╔╝██║░░██║╚█████╗░
██╔═██╗░██╔══██║██║██╔══██╗██║░░██║░╚═══██╗
██║░╚██╗██║░░██║██║██║░░██║╚█████╔╝██████╔╝
╚═╝░░╚═╝╚═╝░░╚═╝╚═╝╚═╝░░╚═╝░╚════╝░╚═════╝░
Your security was breached, allowing us to control your network for WEEKS.
We are not a politically motivated group and we want nothing more than money.
We have downloaded your most SENSITIVE DATA -- if you do not pay, everything will be PUBLISHED and/or SOLD to a third party.
We collect the most valuable and harmful data, such as:
  - Accounting, Finance, Banking, Billing, Statements, HR, Payrolls
  - Legal, Audit & Revenue Reports, Budgets
  - Backups, Source Codes, Credentials, Databases with private data
  - Agreements, NDA, Corporate Contracts, WorkFiles, Employee's private info and agreements, Tax and IRS files
  - Private Correspondence of your Executive Team
  - SSN/Address/Phones/Emails/Driver Licenses/Signatures/Photos/Medical history/etc
  - Any other files with personal & private data
The PUBLICATION of THIS DATA will lead to DISASTROUS CONSEQUENCES for your business
            NEXT STEPS & IMPORTANT NOTES
    CONTACT US As Soon As Possible
    Now, in order to start negotiations, you need to do the following:
    - install and run 'Tor Browser' from [redactado]
    - use 'Tor Browser' open [redactado]
    - enter your Token ID: [snip]
    MAKING a DEAL with us ELIMINATES RISK of PUBLIC DATA DISCLOSURE & LEAKAGE -- we DELETE your info.
    ABSENCE of CONTACT within 3 DAYS leads to FAIL of negotiations & START of DATA PUBLICATION
            YOU'RE IT OFFICER
    Immediately INFORM your executives and show them this file
    Help them to CONTACT with us & be in touch
    REMEMBER: attempt to hide attack or lie to executives always leads to job loss
            YOU'RE REGULAR STAFF
    DO NOT panic and DO NOT DISCLOSE ANY INFO to third-parties
    REMEMBER: investigation always finds an employee-the source of leak
            YOU'RE THE DECISION MAKER
    Do not worry. Making a deal with us helps to fix everything and get up & running FAST.
An incomplete list of risks you are facing in case of non-payment:
  - Loss of customer trust and loyalty.
  - Damage to the company's reputation.
  - Legal consequences and compliance fines.
  - Financial losses and costs associated with data recovery.
  - Impact on competitive advantage and market share.
  - Breach of data privacy regulations and laws.
  - Disruption of business operations.
  - Reduced employee morale and productivity.
  - Potential for intellectual property theft.
  - Loss of trade secrets and proprietary information.
We will also attack your partners and suppliers using info obtained from your network
It can lead to legal actions against you for data breaches/
If you will not contact us in a timely manner we will start notifying your employees, clients, partners, subcontractors
and any other persons that should know how you treat your own corporate secrets and theirs.

• https://www.ransomware.live/group/kairos