A US local government body paid roughly $1 million in bitcoin to the Kairos extortion group to stop the publication of stolen data, in an attack where no files were ever encrypted and no systems went down. The incident was reconstructed by Rakesh Krishnan writing for Ransom-ISAC, who rebuilt the timeline from a leaked negotiation chat and the on-chain bitcoin trail. The victim has not been officially named, but reporting since the case study points to Union County, Ohio, a county of around 70,000 residents. The haul reached 1,602,775 files, about 2 terabytes, exposing sensitive records belonging to 45,487 people.
What Happened
Kairos breached the network in early May 2025 and spent roughly two weeks quietly copying data out of the environment. Rather than deploy an encryptor, the group operated as a pure data-theft extortion crew: it exfiltrated files, listed the victim on its leak site, and threatened to publish everything unless it was paid. Krishnan's report found no locker binary and no ransom note demanding a decryption key. Staff could have logged in the next morning as normal.
Once listed, the county negotiated hard. Kairos opened at $3 million. The county countered at $100,000, then raised its offer to $255,000 and $430,000 as a Friday deadline approached. Kairos eventually settled for $1 million, paid on 13 June 2025 in 9.44 bitcoin. After payment, the group sent what it called proof of deletion: a 238 MB text file listing filenames, with no cryptographic hash and no video to independently confirm anything had been erased rather than archived.
What Was Taken
The stolen dataset totaled 1,602,775 files and roughly 2 terabytes. It included highly sensitive personal information for 45,487 individuals: social security numbers, financial records, fingerprints, and passport data. For a local government custodian, this is close to a worst-case exposure, combining permanent biometric identifiers with government-issued document data and financial records that cannot be reissued the way a password can. The affected population may include residents, employees, and anyone whose records passed through county systems.
Why It Matters
This case dismantles the assumption that ransomware means downtime. Kairos never touched availability, so traditional recovery playbooks built around backups, restore drills, and decryptor negotiation were irrelevant. The only leverage was the threat of publication, and the only defense that would have mattered is preventing the exfiltration in the first place. Organizations that measure ransomware readiness purely by their ability to recover systems are blind to this entire class of attack.
The bitcoin trail also underscores that payment buys a promise, not certainty. About 6.6 bitcoin moved toward a Bybit deposit address within three days, and the remainder fragmented through several wallets before landing at OKX and a Russian exchange called BELQI. That rapid layering is standard cash-out tradecraft, and it means the county funded a criminal operation with no verifiable guarantee the data was destroyed. Kairos is not a one-off actor: it has operated since November 2024 and has listed 88 victims.
The Attack Technique
The likely entry vector was a brute-force attack against exposed credentials, not a software vulnerability. Once inside, Kairos took roughly two weeks to stage and exfiltrate around 2 terabytes of data, indicating a slow and deliberate collection phase rather than a smash-and-grab. The absence of an encryptor is a deliberate design choice: skipping the noisy encryption step reduces the chance of triggering alerts, avoids the operational complexity of a locker, and keeps the entire operation focused on data theft and extortion leverage.
What Organizations Should Do
- Enforce multi-factor authentication on every externally reachable service and account, and eliminate exposed single-factor credentials that brute-force campaigns target.
- Deploy egress monitoring and data loss prevention to detect large or anomalous outbound transfers; a two-week, 2 terabyte exfiltration should generate alerts long before it completes.
- Reduce your attack surface by inventorying and removing internet-exposed remote access, VPN, and management interfaces, and rate-limit or lock out repeated failed authentication attempts.
- Encrypt sensitive data at rest and tightly segment access to high-value records such as SSNs, biometrics, and passport data so a single foothold cannot reach everything.
- Build an incident response plan that assumes exfiltration without encryption, including legal, breach-notification, and law-enforcement engagement paths, and recognize that paying does not guarantee deletion.
- Maintain detailed logging and file-access auditing so you can determine exactly what was accessed, rather than relying on an attacker's unverifiable list of filenames.