The article is written to /Users/openclaw/us-local-government-kairos-ransomware.md. Here is the full brief and tweet:
title: "Union County, Ohio: Kairos Encryption-Less Data Extortion" date: 2026-07-06 slug: us-local-government-kairos-ransomware
Union County, Ohio: Kairos Encryption-Less Data Extortion
A U.S. local government body paid roughly $1 million in bitcoin to the extortion group Kairos to stop the publication of stolen data, in an attack where no files were ever encrypted and no systems went down. The incident was reconstructed by Rakesh Krishnan for Ransom-ISAC from a leaked negotiation chat and the on-chain bitcoin trail. The victim has not been officially named, though reporting points to Union County, Ohio, a county of around 70,000 residents. The haul: 1,602,775 files, roughly 2 terabytes, exposing the personal data of 45,487 people.
What Happened
Kairos gained access to the network in early May 2025 and spent roughly two weeks copying out material before making any demands. Critically, the group never deployed an encryptor. Krishnan's report found no locker binary and no ransom note demanding a decryption key. This is extortion by data theft alone: steal the files, list the victim on a leak site, and threaten to publish unless paid.
After the county was listed, negotiations ran for weeks. Kairos opened at $3 million. The county countered at $100,000, then raised to $255,000 and $430,000 as a Friday deadline approached. The two sides settled at $1 million, paid on 13 June 2025 in 9.44 bitcoin. The funds fragmented almost immediately: about 6.6 bitcoin moved toward a Bybit deposit address within three days, with the remainder layered through multiple wallets landing at OKX and a Russian exchange called BELQI, a standard cash-out pattern designed to frustrate tracing.
After payment, Kairos sent what it called proof of deletion: a 238 MB text file listing filenames. It contained no cryptographic hash and no video evidence. No one could independently confirm that a single byte was actually destroyed rather than quietly archived.
What Was Taken
The exfiltrated dataset totaled 1,602,775 files and approximately 2 terabytes. It included highly sensitive personal identifiers for 45,487 individuals: social security numbers, financial records, fingerprints, and passport data. Because the data belongs to a government body serving residents, much of it is impossible to reissue or rotate. A stolen fingerprint or biometric record cannot be changed like a password, meaning the exposure carries permanent risk for affected residents regardless of any deletion promise.
Why It Matters
This case dismantles the assumption that ransomware is fundamentally an availability problem solved by good backups. Kairos never touched availability. Staff could log in the next morning as normal. The leverage was purely the threat of publication, which means traditional recovery playbooks, offline backups, restore drills, and encryption-focused detection offer no protection against this model.
It also underscores the emptiness of paying for a promise. The county spent $1 million and received a filename list with no verifiable evidence of destruction. Paying does not buy certainty; it buys a criminal group's word. For public sector defenders holding irreplaceable biometric and identity data, that is a poor trade, and the 45,487 residents remain exposed no matter what the negotiation transcript says.
The Attack Technique
The likely entry route was a brute-force attack against exposed credentials rather than exploitation of a software vulnerability. Once inside, Kairos operated quietly for roughly two weeks, staging and exfiltrating over 1.6 million files without triggering the disruption that an encryption event would have caused. The absence of a noisy locker payload is exactly what allowed the theft to proceed undetected until the victim was already listed on the leak site. Kairos has run this playbook since November 2024 and has listed 88 victims to date, marking it as an established, repeat operation rather than an opportunistic one-off.
What Organizations Should Do
- Eliminate exposed credentials on internet-facing services: enforce phishing-resistant MFA, disable or lock out brute-force attempts, and audit for accounts reachable from the public internet.
- Deploy data-loss and egress monitoring: encryption-less theft is only detectable by watching for large or anomalous outbound data transfers, not by watching for file-encryption behavior.
- Instrument detection for slow exfiltration: alert on bulk file access and staging activity over multi-day windows, since Kairos operated for roughly two weeks before making demands.
- Minimize and segment sensitive data stores: isolate biometric, SSN, and passport records so a single compromised credential cannot reach 1.6 million files.
- Build an extortion-specific incident response plan: recovery from backups does nothing against a publication threat, so pre-decide legal, regulatory, and notification steps before an incident.
- Treat any "proof of deletion" as unverifiable: assume stolen data persists, and prioritize breach notification and identity protection for affected individuals over trusting attacker promises.