Jul 5 / Latest News

County Paid $1 Million to Stop Leak of Stolen Files, Case Study Shows

A U.S. government entity paid about $1 million to stop stolen files from being leaked, according to a new case study by Rakesh Krishnan for Ransom‑ISAC.

The payment trail and leaked negotiation chat show the attacker, known as Kairos, may not be a traditional ransomware gang. Krishnan found no evidence of encryption, no locked systems, and no demand for a decryption key—only a threat to publish stolen data unless the victim paid.

The victim is not named, but the negotiation logs strongly point to Union County, Ohio. Stolen files carried names such as Union.xlsx, 1 union co psi template.doc, and union.rar. The victim described itself as a small county with limited resources, while Kairos repeatedly highlighted a folder labeled “prosecutors office,” warning that leaking it would help criminals evade charges.

The details match a real incident. In May 2025, Union County reported detecting ransomware and later notified 45,487 residents and staff that their data had been stolen, affecting most of the county’s roughly 70,000 residents. The stolen records included Social Security numbers, financial information, fingerprints, and passport details. Neither the county nor Kairos has confirmed any link to the case study.

The negotiation lasted about a month. Kairos began with a $3 million demand, claiming to hold more than 2 terabytes of data—around 1.6 million files. The county countered at $100,000, then raised its offer to $255,000 and later $430,000. Kairos dropped to $2 million before issuing a final ultimatum: $1 million by Friday or the data would be released. The county ultimately paid on June 13, 2025, sending roughly 9.44 bitcoin, valued at about $1 million at the time.

Krishnan traced the payment on-chain. Within hours, the funds were split and routed through multiple wallets toward deposit addresses linked to Bybit, OKX, and a Russian service called BELQI. The tracing provides investigative leads but no identities. Kairos supplied a “proof of deletion” file, but it merely listed filenames—showing only that the attacker once possessed the data, not that it was erased. Paying to make stolen data disappear remains an act of faith.

Union County publicly described the incident as ransomware, but the Kairos case involved no encryption at all. This reflects a broader shift in the extortion landscape. Sophos reported in 2025 that only about half of ransomware attacks still involve encryption, the lowest rate in six years. Some groups have abandoned it entirely, including Silent Ransom Group, a Conti offshoot that has long run pure data‑theft extortion campaigns.

The negotiation pattern also mirrors other leaked cases. Internal chats from Black Basta, exposed in early 2025, showed a deal that moved from a $1.5 million demand to a $100,000 counteroffer to a $1 million settlement—almost identical to the Kairos arc. Leaks from Conti in 2022 similarly revealed how these extortion bargains unfold behind the scenes. Kairos has since gone quiet. Its leak site is offline, and its last known victim appeared in June 2026. But a wallet tied to the operation was still active as recently as May 2026, showing that a silent leak site does not necessarily mean the crew is gone.

For small government networks, the lessons are familiar. Enable multi‑factor authentication—Kairos claimed it gained access by guessing a password. Monitor for repeated failed logins, large outbound data transfers, and temporary file‑sharing links like the temp.sh URLs Kairos used. Segregate legal, HR, and citizen records from the rest of the network. Prepare a public‑statement plan before it’s needed. And treat any promise to delete stolen data as worthless.