US government body paid 1M in datatheft extortion

TL;DR

A US government entity paid about $1m to the Kairos extortion group to keep stolen files private, according to a Ransom-ISAC case study based on a leaked negotiation chat and blockchain analysis. The clues point to Union County, Ohio, though neither party has confirmed it. The case illustrates how much of today's “ransomware” involves no encryption at all.

A US government entity paid around $1m to stop stolen files from being published, according to a case study by researcher Rakesh Krishnan for Ransom-ISAC. The analysis draws on a leaked negotiation chat and the blockchain trail the payment left behind.

The group behind the deal calls itself Kairos, but it may not be a ransomware gang in any traditional sense. Krishnan reportedly found no encryptor, no locker, and no demand for a decryption key, just stolen files and a price for keeping them private.

The case study does not name the victim, but file names in the proof-of-theft samples, including an archive called union.rar, point to Union County, Ohio. Neither the county nor Kairos has confirmed the connection, and The Hacker News says it has contacted the county for comment.

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

The clues do line up with a real incident. In May 2025, Union County detected ransomware on its network and later notified 45,487 people that data including Social Security numbers, fingerprints, and passport details had been taken.

If the identification holds, a county of roughly 70,000 residents made a $1m payment it never publicly disclosed. The attacker reportedly leaned hardest on a folder marked “prosecutors office”, warning that a leak would help criminals evade charges.

Anatomy of a $1m deal

The negotiation ran for about a month, according to the case study. Kairos opened at $3m and claimed to hold more than 2TB of data across some 1.6 million files.

The county reportedly countered at $100,000 and inched up to $430,000, while Kairos dropped to $2m before fixing a final $1m deadline. The victim paid on 13 June 2025, ten times its opening offer.

The payment of roughly 9.44 bitcoin matched about $1m at that week's market prices. Within hours it was reportedly split and routed through a chain of wallets towards deposits at Bybit, OKX, and BELQI, a Russian service that recalls earlier ransomware laundering through WEX and BTC-e.

Tracing of this kind gives investigators leads rather than identities. Criminal crews have spent years refining how they wash cryptocurrency through mules, mixers, and loosely regulated exchanges.

What the money bought is another question. Kairos handed over a “proof of deletion” file, but a list of file names only proves the attacker once held the data, and promises to delete stolen data have unravelled before.

Ransomware without the ransomware

Union County described the incident as ransomware, yet nothing in the Kairos case was ever encrypted. A growing share of what still carries that label now skips lockers entirely and uses the stolen data itself as the pressure point, a playbook that recent extortion-only breaches have aimed at the private sector too.

Sophos reported in 2025 that only around half of ransomware attacks involved encryption, down from 70% a year earlier and the lowest rate in six years. Silent Ransom Group, an offshoot of the Conti ecosystem, has spent years running encryption-free extortion against US law firms, drawing repeated FBI warnings.

The bargaining arc is familiar too. When Black Basta's internal chats leaked in February 2025, one deal moved from a $1.5m demand to a $100,000 counter and a $1m payment, almost the same curve.

Kairos itself has gone quiet, with its leak site offline and its last known victim posted in June 2026, per the case study. A linked wallet was reportedly still moving funds in May, so a dark leak site should not be read as a retired crew.

Unglamorous lessons

For small government networks, the takeaways are deliberately dull. Kairos claimed it got in by guessing a password, so multi-factor authentication and alerts on repeated failed logins would have raised the cost of entry considerably.

Defenders should also watch outbound transfers and throwaway file-sharing links, such as the temp.sh addresses the attacker used, and keep legal and citizen records segmented from the wider network. Above all, a thief's receipt for deleted data is worth exactly what it cost to type.