In a startling revelation that underscores the evolving landscape of cybercrime, a U.S. government entity reportedly paid approximately $1 million to prevent the public release of stolen data. This unprecedented payment, detailed in a new case study by Rakesh Krishnan for Ransom-ISAC, shines a spotlight on a group known as Kairos – an entity that appears to operate outside the traditional ransomware model.
The Kairos Enigma: Extortion Without Encryption
Unlike conventional ransomware gangs that lock systems and demand decryption keys, Kairos employs a simpler, yet equally devastating, tactic: pure data-theft extortion. Krishnan’s investigation, built upon leaked negotiation chats and blockchain payment trails, found no evidence of Kairos ever deploying an encryptor or locking a single machine. Their modus operandi is straightforward: steal sensitive files, then demand a hefty ransom to keep them from being published.
While the victim remains officially unnamed in the study, compelling clues within the negotiation chat and proof-of-theft files (such as “Union.xlsx” and “union.rar”) strongly point to Union County, Ohio. The victim described itself as a “small county with limited resources,” a detail that resonates with Union County’s profile. The attackers specifically leveraged a folder marked “prosecutors office,” threatening that its leak would aid criminals in evading justice.
Union County’s Ordeal: A Timeline of Compromise and Concealment
The clues align with a real-world incident. In May 2025, Union County, Ohio, publicly acknowledged detecting “ransomware” on its network. Subsequently, 45,487 residents and staff – a significant portion of the county’s 70,000 population – were notified that their data, ranging from Social Security numbers and financial details to fingerprints and passport information, had been compromised. Neither Union County nor Kairos has officially confirmed the connection, but if true, it represents a substantial, undisclosed payment by a government body.
The Million-Dollar Negotiation: A Glimpse into the Dark Web’s Bargaining Table
The extortion negotiation spanned roughly a month, a tense back-and-forth between the county and Kairos. The attackers initially demanded $3 million for over 2 terabytes of data (approximately 1.6 million files). Union County began with a counter-offer of $100,000, gradually increasing it to $255,000, then $430,000. Kairos, in turn, lowered its demand to $2 million before issuing a final ultimatum: $1 million by Friday, or the data goes public.
On June 13, 2025, the county capitulated, paying approximately 9.44 Bitcoin, valued at about $1 million at the time – ten times their initial offer. The attackers employed classic psychological levers: countdown timers, strict deadlines, and threats to release the most damaging folders first.
Following the Digital Breadcrumbs: Where Did the Money Go?
Krishnan’s meticulous tracing of the Bitcoin payment revealed its rapid movement. Within hours, the sum was split and funneled through a series of wallets, ultimately landing in deposit addresses linked to major crypto exchanges like Bybit and OKX, as well as the Russian service BELQI. While such tracing provides invaluable leads for investigators, it rarely yields immediate names, highlighting the persistent anonymity of the dark web.
The payment, however, bought little in the way of certainty. Kairos provided a “proof of deletion” file, but as the study rightly points out, a list of file names only confirms the attacker once possessed the data, not that the originals were permanently wiped. Paying for data deletion, in this context, is largely an act of faith, with the “receipt” issued by the very thief.
The Shifting Sands of Cyber Extortion: Beyond Encryption
Union County initially categorized the incident as “ransomware,” a term often broadly applied. Yet, the Kairos case reveals a critical evolution: many so-called ransomware attacks now bypass encryption entirely, using the stolen data itself as the primary leverage. Sophos reported in 2025 that only about half of ransomware incidents still involve encryption, marking a six-year low. Some groups, like the Silent Ransom Group (a Conti offshoot), have exclusively pursued data-theft extortion against U.S. law and finance firms without any encryptor.
The negotiation tactics employed by Kairos also echo familiar patterns seen in other high-profile leaks. The leaked internal chats of Black Basta in February 2025 revealed a similar negotiation arc: a $1.5 million demand, a $100,000 counter, and a final $1 million payment. These leaked communications, alongside the Conti leaks of 2022, are proving invaluable for researchers in understanding the intricate dynamics of these illicit bargains.
Lessons for Small Governments: Fortifying Defenses in a New Era
While Kairos’s leak site has gone dark and its last known victim appeared in June 2026, a wallet associated with the operation remained active as recently as May 2026 – a stark reminder that a quiet leak site doesn’t necessarily mean a defunct crew. For small government networks, the lessons are clear, albeit familiar:
- Implement Multi-Factor Authentication (MFA): Kairos reportedly gained access by simply guessing a password. MFA is a crucial first line of defense.
- Monitor for Anomalies: Watch for repeated failed logins, unusually large outbound data transfers, and suspicious file-sharing links (like the temp.sh addresses used by Kairos).
- Segment Networks: Isolate sensitive legal, HR, and citizen records from the broader network to limit potential damage.
- Develop a Crisis Communication Plan: Have a public statement strategy ready *before* an incident occurs.
- Distrust Deletion Promises: Any assurance from attackers to delete stolen data should be considered worthless.
The Kairos case serves as a potent warning: the threat landscape is constantly evolving, and organizations must adapt their defenses to counter sophisticated, non-traditional extortion tactics.
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
For more details, visit our website.
Source: Link










Leave a comment