Here's the complete article.
title: "Union County, Ohio: Kairos Data Extortion" date: 2026-07-05 slug: union-county-ohio-kairos-data-extortion
Union County, Ohio: Kairos Data Extortion
A U.S. government entity paid roughly $1 million to the Kairos data-extortion group to keep stolen files from being published, according to a Ransom-ISAC case study by researcher Rakesh Krishnan built on a leaked negotiation chat and blockchain analysis. File names in the proof-of-theft samples, including an archive called union.rar, point to Union County, Ohio, though neither the county nor Kairos has confirmed the connection. The clues align with a real May 2025 incident in which Union County, a county of roughly 70,000 residents, notified 45,487 people that their data had been stolen.
What Happened
The case did not involve traditional ransomware at all. Krishnan reportedly found no encryptor, no locker, and no demand for a decryption key. Kairos simply stole files and named a price for keeping them private, a data-theft extortion model that increasingly wears the "ransomware" label without any encryption behind it.
The negotiation ran for about a month. Kairos opened at $3 million, claiming to hold more than 2TB of data across some 1.6 million files. The victim countered at $100,000, then inched up to $430,000, while Kairos dropped from $3 million to $2 million before fixing a final $1 million deadline. The victim paid on 13 June 2025, ten times its opening offer.
The payment of roughly 9.44 bitcoin matched about $1 million at that week's market prices. Within hours it was reportedly split and routed through a chain of wallets toward deposits at Bybit, OKX, and BELQI, a Russian service that echoes earlier ransomware laundering through WEX and BTC-e. Tracing of this kind gives investigators leads rather than identities, since criminal crews have spent years refining how they wash cryptocurrency through mules, mixers, and loosely regulated exchanges.
What Was Taken
The attacker claimed more than 2TB across roughly 1.6 million files. Union County's own May 2025 disclosure said the stolen data included Social Security numbers, fingerprints, and passport details for 45,487 people. During negotiations, Kairos reportedly leaned hardest on a folder marked "prosecutors office," warning that a leak would help criminals evade charges, a targeted pressure tactic aimed at the most sensitive material in the haul.
What the money actually bought remains uncertain. Kairos handed over a "proof of deletion" file, but a list of file names only proves the attacker once held the data. Promises to delete stolen data have unraveled before, and there is no technical guarantee the county's records are gone.
Why It Matters
If the identification holds, a public entity serving about 70,000 residents made a $1 million payment it never publicly disclosed. That gap between the county's public "ransomware" framing and the private seven-figure extortion payment matters for anyone tracking how government bodies handle breaches.
The case is also a clean example of ransomware without the ransomware. A growing share of what still carries that label skips lockers entirely and relies on the threat of publication. Defenders who plan only for encryption events, backups, restoration, and business continuity, are unprepared for pure data-theft extortion, where the damage is already done the moment files leave the network.
The Attack Technique
The public record is thin on initial access. Union County detected the intrusion in May 2025 and characterized it as ransomware, but the Kairos case study describes no encryptor or locker, meaning the operation was exfiltration-first. The visible tradecraft is in the aftermath: bulk staging of files into archives such as union.rar, a month-long negotiation over a leaked chat channel, and rapid laundering of the bitcoin payment through wallet-hopping into exchange deposits. Absent a confirmed entry vector, defenders should assume the standard paths, phishing, exposed remote services, or valid-but-stolen credentials, until Union County or investigators publish more.
What Organizations Should Do
- Plan for extortion without encryption. Build incident response playbooks that assume data is already gone, not just locked, and rehearse the decision-making around a publication threat.
- Monitor for bulk exfiltration. Alert on large outbound transfers, unusual archive creation (.rar, .zip, .7z) on file servers, and access to sensitive shares like legal or prosecutor folders.
- Segment and restrict access to the crown jewels. High-sensitivity data such as biometrics, SSNs, and passport scans should sit behind tighter access controls and logging than general shares.
- Enforce phishing-resistant MFA and audit remote access. Close exposed RDP and VPN endpoints, and require strong authentication on every external service.
- Treat "proof of deletion" as unverifiable. Assume paying does not guarantee deletion, and factor breach notification and credit-monitoring obligations into any payment decision.
- Disclose accurately. Match public statements to what actually happened; mislabeling data theft as encryption-based ransomware erodes trust and misinforms the community.
Sources: US government body paid $1M in data-theft extortion