title: "Union County, Ohio: Kairos Data Extortion" date: 2026-07-08 slug: us-county-kairos-ransom-payment
Union County, Ohio: Kairos Data Extortion
A U.S. county government paid $1 million to the Kairos cyber extortion group to prevent the public release of sensitive data stolen in a May 2025 breach, according to Ransom-ISAC negotiation transcripts. The attackers opened with a $3 million demand, the county countered with offers climbing from $100,000 to $430,000 over three weeks, and the final Bitcoin payment was made on June 13. Though the victim was not officially named, the transcript's description of "a small county with very limited resources" points to Union County, Ohio, which later notified 45,487 individuals that their personal data had been compromised.
What Happened
Kairos gained access to the county's systems through a brute-force attack and exfiltrated the data without deploying encryption, making this a pure extortion case rather than a conventional ransomware event. The group claimed to have taken more than 2 terabytes of data, roughly 1.6 million files, and leveraged that haul as pressure.
The negotiation ran for three weeks. Kairos managed deadlines aggressively, provided proof of access, and threatened to publish the stolen files if payment was not made. The county incrementally raised its offers before conceding to a hard deadline and finalizing $1 million in Bitcoin on June 13. Ransom-ISAC characterized the county's back-and-forth as typical of an organization stalling for time while it coordinated legal, leadership, and financial responses.
As part of the deal, the extortionists offered evidence of data deletion. That evidence appeared selective rather than comprehensive, and there was no independent verification that any of the stolen data was actually erased.
What Was Taken
The compromised information was highly sensitive and spanned identity, financial, and medical categories. According to the county's September notification to 45,487 affected individuals, the exposed data included:
- Names and dates of birth
- Driver's license numbers
- Social Security numbers
- Financial account details
- Medical information
- Payment card information
At more than 2 terabytes and roughly 1.6 million files, the volume of stolen data gave Kairos substantial leverage, and the breadth of identifiers involved leaves affected residents exposed to identity theft and financial fraud regardless of whether the payment was made.
Why It Matters
Paying $1 million bought the county a promise, not a guarantee. Because Kairos never encrypted anything, the entire incident hinged on the threat of publication, and the "proof of deletion" the group provided was partial and unverifiable. The county has no way to confirm that its residents' Social Security numbers and medical records are truly gone, which means the payment mitigated reputational damage far more than it reduced actual risk to victims.
The case is also a reminder that small local governments are attractive, resource-constrained targets. Attackers know that counties often lack mature security programs and dedicated incident response, and they price their demands to what a strained budget might bear. The reduction from $3 million to $1 million reflects a negotiation dynamic that increasingly resembles a commercial transaction, one where the victim's limited resources become a bargaining chip.
Finally, the shift from encryption-based ransomware to pure data-theft extortion continues to accelerate. Alongside incidents like the Aflac Japan breach and the Oracle PeopleSoft compromise affecting Nissan employees, this case shows attackers concluding that stolen data alone is enough leverage, no malware payload required.
The Attack Technique
Kairos entered the county's environment through a brute-force attack, a technique that succeeds against weak, reused, or default credentials and against externally exposed services that lack rate limiting and multi-factor authentication. Once inside, the group moved to bulk exfiltration, pulling out more than 1.6 million files.
Notably, no file encryption was deployed at any stage. This "steal and extort" model lets attackers operate more quietly, since there is no ransomware detonation to trigger alarms, and it lowers their operational overhead while preserving the extortion leverage that publication of sensitive data provides.
What Organizations Should Do
- Enforce multi-factor authentication on every externally reachable service, especially VPNs, RDP, email, and administrative portals, to blunt brute-force attacks.
- Implement account lockout, rate limiting, and credential monitoring so repeated failed login attempts are detected and blocked before they succeed.
- Deploy egress monitoring and data loss prevention to catch large, anomalous outbound transfers before terabytes leave the network.
- Maintain and regularly test offline, immutable backups so recovery decisions are never driven by an attacker's deadline.
- Classify and segment sensitive data, and minimize retention of Social Security numbers, medical records, and payment card data that does not need to be stored.
- Build an incident response plan that pre-engages legal counsel, leadership, and law enforcement, and treat any attacker "proof of deletion" as unverifiable when weighing a payment.