Data Extortion, Not Ransomware: How a US County Paid $1 Million to 'Kairos' to Prevent Data Leak
A recent case study reveals a U.S. government entity paid approximately $1 million to prevent a data leak by a group calling itself **Kairos**. This incident highlights a growing trend where attackers forgo traditional encryption, opting instead for pure data exfiltration and extortion, challenging the conventional definition of 'ransomware' incidents.

A U.S. government entity reportedly paid around $1 million to stop the leak of stolen files, according to a new case study by **Rakesh Krishnan** for **Ransom-ISAC**. The analysis, based on a leaked negotiation chat and blockchain transaction records, sheds light on a data extortion operation rather than a typical ransomware attack.
### The 'Kairos' Modus Operandi
The group, identified as **Kairos**, appears to specialize in data theft and extortion without employing encryption. Krishnan found no evidence of an encryptor or demands for decryption keys, suggesting their tactic was solely to steal sensitive data and then demand payment to prevent its public release.
While Krishnan's study refrains from naming the victim, clues within the negotiation chat, such as file names like `Union.xlsx` and `union.rar`, strongly point to **Union County, Ohio**. The attackers specifically leveraged a folder labeled "prosecutors office," threatening that its leak would aid criminals in evading justice.
### Matching a Real-World Incident
These details align with a real cyber incident reported by **Union County, Ohio**, in May 2025. The county disclosed detecting ransomware on its network and subsequently notified 45,487 residents and staff about a data breach. The stolen information was extensive, ranging from Social Security numbers and financial details to fingerprints and passport numbers.
Neither **Union County** nor **Kairos** has publicly confirmed their connection to this specific payment. If confirmed, this would represent a significant, undisclosed payment by a local government entity.
### The Negotiation Process
The negotiation spanned approximately one month. **Kairos** initially demanded $3 million for over 2 terabytes of data, comprising 1.6 million files. The county began with an offer of $100,000, incrementally increasing it to $255,000, then $430,000. **Kairos** eventually lowered their demand to $2 million before setting a firm deadline and a final price of $1 million.

The payment, made on June 13, 2025, amounted to roughly 9.44 **Bitcoin**, valued at about $1 million at the time. Krishnan's tracing revealed the funds were quickly split and channeled through various wallets toward known crypto exchanges like **Bybit**, **OKX**, and the Russian service **BELQI**.
### The Illusion of Deletion
In exchange for the payment, **Kairos** provided a "proof of deletion" file. However, this only confirmed their previous possession of the files, offering no verifiable guarantee that the original stolen data had been permanently wiped. Paying for data deletion remains an act of faith, with no true receipt beyond the word of the attacker.

### The Shifting Landscape of Ransomware
While **Union County** initially categorized the incident as ransomware, the **Kairos** case exemplifies a significant shift in cyberattack methodologies. Many groups now bypass encryption entirely, using the threat of data exposure as their primary leverage. **Sophos** reported in 2025 that only about half of ransomware attacks still involve encryption, a six-year low. Groups like **Silent Ransom Group**, a **Conti** offshoot, have long focused solely on data theft extortion against U.S. law and finance firms.
The negotiation patterns observed in the **Kairos** case echo those seen in other high-profile leaks, such as the internal chats of **Black Basta** in February 2025 and the **Conti** leaks in 2022. These insights are crucial for researchers to understand the evolving tactics of cybercriminal groups.
### Current Status and Lessons Learned
**Kairos** has since gone quiet, with its leak site down and the last known victim appearing in June 2026. However, a wallet linked to the operation remained active as recently as May 2026, indicating the group may still be operational despite its reduced public presence.
For IT security professionals, particularly those managing small government networks, the takeaways are critical:
* **Implement Multi-Factor Authentication (MFA):** **Kairos** reportedly gained access by simply guessing a password.
* **Monitor for Anomalies:** Watch for repeated failed logins, large outbound data transfers, and the use of burner file-sharing links.
* **Segment Networks:** Isolate sensitive legal, HR, and citizen records from the broader network.
* **Develop a Crisis Communication Plan:** Prepare a public statement plan in advance of an incident.
* **Skepticism Towards Deletion Promises:** Treat any promise to delete stolen data as unreliable.