A recent case study from Rakesh Krishnan at Ransom-ISAC reveals that a U.S. governmental entity disbursed approximately $1 million to prevent the public release of compromised files. The insights stem from leaked negotiation transcripts and the digital footprint of the transaction on the blockchain.
The group demanding the payment identifies itself as Kairos, but according to Krishnan, it does not appear to function as a traditional ransomware operation, as no encryption methods were employed. Instead, the strategy involved stealing sensitive data and extorting the victim to avoid its publication, a tactic increasingly common in today’s cybercrime landscape.
While the exact identity of the victim remains undisclosed, the evidence from the negotiation suggests a direct connection to Union County, Ohio. Document names such as Union.xlsx and a marked folder titled “prosecutors office” indicate that the attackers threatened to leak sensitive legal information. The county, describing itself as under-resourced, faced substantial pressure due to the nature of the stolen data, which included critical personal records and legal documents.
In May 2025, Union County acknowledged a cyber incident where unauthorized access was detected, leading to the exfiltration of personal data from over 45,000 residents. The incident compromised a broad array of sensitive information, including Social Security numbers and financial details, impacting a significant portion of the county’s population.
Neither Union County nor Kairos have confirmed public ties, but if verified, it suggests that the county quietly allocated resources to settle the matter without public disclosure—a trend that raises serious questions about transparency and accountability in cybersecurity incidents. Efforts to reach out for comments from the Union County Commissioner’s office are ongoing, with updates anticipated.
The negotiations spanned an entire month, with Kairos initiating with a demand of $3 million for 2 terabytes of data, ultimately reducing their ask to $1 million as the county incrementally increased its offer from $100,000. Under the duress of impending publication threats, finalizing the deal by June 13, 2025, resulted in the county paying tenfold their initial proposal, using approximately 9.44 bitcoin, then worth around $1 million.
Tracing the subsequent movement of the funds, researchers observed that shortly after the payment was made, the cryptocurrency was split and funneled through various wallets toward exchange services, indicating a sophisticated effort to obfuscate the transaction. Notably, while the attackers provided a “proof of deletion” document, the absence of a verifiable method to ensure the safe destruction of the data underscores the inherent risks in negotiations with cybercriminals.
The operation described mirrors a significant shift in tactics for cyber extortion, where traditional methods of encrypting data are becoming less common. A report by Sophos noted that in 2025, only about half of ransomware incidents involved encryption, with many groups opting for stolen data exploitation instead. The implication for business owners, particularly within government networks, is clear: robust cybersecurity measures including multi-factor authentication and vigilant monitoring for unusual network activity remain crucial.
To fortify defenses, organizations must proactively address potential vulnerabilities. This involves safeguarding sensitive legal, HR, and citizen records from being easily accessed within the network, coupled with ensuring that response strategies are in place before any breach occurs. In this evolving threat landscape, the lesson rings clear: trust not in promises from cybercriminals regarding data deletion, for those assurances are fraught with uncertainty.