
TL;DR
A US government entity paid around $1 million to the Kairos extortion group to keep stolen files private, according to a Ransom-ISAC case study based on a leaked trading chat and blockchain analysis. Clues point to Union County, Ohio, although neither party has confirmed this. The case illustrates the extent to which current “ransomware” does not involve any encryption.
A US government entity paid around $1 million to prevent stolen files from being released. according to a case study by researcher Rakesh Krishnan for Ransom-ISAC. The analysis is based on a leaked trading chat and the blockchain trail left by the payment.
The group behind the deal calls itself Kairos, but it may not be a ransomware gang in the traditional sense. Krishnan reportedly found no encryptor, no locker, no decryption key request, just stolen files and a price to keep them private.
The case study does not name the victim, but file names in the theft evidence samples, including a file called union.rar, point to Union County, Ohio. Neither the county nor Kairos have confirmed the connection, and The Hacker News says it has contacted the county for comment.
The clues match a real incident. In May 2025, Union County detected ransomware on its network and subsequently notified to 45,487 people that data including Social Security numbers, fingerprints and passport details had been taken.
If the ID is valid, a county of about 70,000 residents made a $1 million payment that it never publicly disclosed. The attacker reportedly leaned heavily on a folder marked “prosecution” and warned that a leak would help criminals evade charges.
Anatomy of a $1 Million Deal
The negotiation lasted approximately a month, according to the case study. Kairos opened at $3 million and claimed to have over 2 TB of data in about 1.6 million files.
The county reportedly countered with $100,000 and inched up to $430,000, while Kairos dropped to $2 million before setting a final deadline of $1 million. The victim paid ten times his initial offer on June 13, 2025.
The payment of approximately 9.44 bitcoins was equivalent to approximately $1 million at that week’s market prices. Within hours it was reportedly split up and headed through a chain of wallets to deposits on Bybit, OKX and BELQI, a Russian service that recalls Previous ransomware laundering via WEX and BTC-e.
Tracing of this type gives Investigators carry clues instead of identities.. Criminal gangs have been refining how they launder cryptocurrencies through mules, mixers and loosely regulated exchanges.
What was bought with the money is another question. Kairos provided a “proof of deletion” file, but a list of file names only proves that the attacker once had the data, and Promises to delete stolen data have fallen apart before..
Ransomware without ransomware
Union County described the incident as ransomware, but nothing was ever encrypted in the Kairos case. An increasing proportion of what still bears that label is now bypassing the lockers entirely and using the stolen data as a pressure point, a playbook that recent extortion-only violations They have also targeted the private sector.
Sophos reported in 2025 that only about half of ransomware attacks involved encryption, down from 70% the previous year and the lowest rate in six years. Silent Ransom Group, a branch of the Conti ecosystem, has been operating for years Unencrypted extortion against US law firmsprompting repeated warnings from the FBI.
The negotiation arc is also familiar. When Black Basta’s internal chats leaked in February 2025one settlement went from a demand of $1.5 million to a consideration of $100,000 and a payment of $1 million, almost the same curve.
Kairos itself has gone silent, with its leak site offline and its last known victim posted in June 2026, according to the case study. A linked wallet was reportedly still moving funds in May, so a dark leak site should not be interpreted as a retired team.
unglamorous lessons
For small government networks, the conclusions are deliberately boring. Kairos claimed that he logged in by guessing a password, so multi-factor authentication and alerts about repeated failed logins would have significantly raised the cost of entry.
Defenders should also keep an eye on outbound transfers and disposable file-sharing links, such as the temp.sh addresses the attacker used, and maintain segmented legal and citizen logs of the broader network. Above all, a thief’s receipt for deleted data is worth exactly what it cost to write it.





