SYS::ONLINE
Wasteland.
Briefs1110
Issues18
SinceFeb 2026
LIVE
█ Ransomware US-LOCAL-GOVERNMEN 2026-07-06

Union County, Ohio: Kairos Encryption-Less Data Extortion

"The article is written to `/Users/openclaw/us-local-government-kairos-ransomware.md`. Here is the full brief and tweet:"

The article is written to /Users/openclaw/us-local-government-kairos-ransomware.md. Here is the full brief and tweet:


title: "Union County, Ohio: Kairos Encryption-Less Data Extortion" date: 2026-07-06 slug: us-local-government-kairos-ransomware


Union County, Ohio: Kairos Encryption-Less Data Extortion

A U.S. local government body paid roughly $1 million in bitcoin to the extortion group Kairos to stop the publication of stolen data, in an attack where no files were ever encrypted and no systems went down. The incident was reconstructed by Rakesh Krishnan for Ransom-ISAC from a leaked negotiation chat and the on-chain bitcoin trail. The victim has not been officially named, though reporting points to Union County, Ohio, a county of around 70,000 residents. The haul: 1,602,775 files, roughly 2 terabytes, exposing the personal data of 45,487 people.

What Happened

Kairos gained access to the network in early May 2025 and spent roughly two weeks copying out material before making any demands. Critically, the group never deployed an encryptor. Krishnan's report found no locker binary and no ransom note demanding a decryption key. This is extortion by data theft alone: steal the files, list the victim on a leak site, and threaten to publish unless paid.

After the county was listed, negotiations ran for weeks. Kairos opened at $3 million. The county countered at $100,000, then raised to $255,000 and $430,000 as a Friday deadline approached. The two sides settled at $1 million, paid on 13 June 2025 in 9.44 bitcoin. The funds fragmented almost immediately: about 6.6 bitcoin moved toward a Bybit deposit address within three days, with the remainder layered through multiple wallets landing at OKX and a Russian exchange called BELQI, a standard cash-out pattern designed to frustrate tracing.

After payment, Kairos sent what it called proof of deletion: a 238 MB text file listing filenames. It contained no cryptographic hash and no video evidence. No one could independently confirm that a single byte was actually destroyed rather than quietly archived.

What Was Taken

The exfiltrated dataset totaled 1,602,775 files and approximately 2 terabytes. It included highly sensitive personal identifiers for 45,487 individuals: social security numbers, financial records, fingerprints, and passport data. Because the data belongs to a government body serving residents, much of it is impossible to reissue or rotate. A stolen fingerprint or biometric record cannot be changed like a password, meaning the exposure carries permanent risk for affected residents regardless of any deletion promise.

Why It Matters

This case dismantles the assumption that ransomware is fundamentally an availability problem solved by good backups. Kairos never touched availability. Staff could log in the next morning as normal. The leverage was purely the threat of publication, which means traditional recovery playbooks, offline backups, restore drills, and encryption-focused detection offer no protection against this model.

It also underscores the emptiness of paying for a promise. The county spent $1 million and received a filename list with no verifiable evidence of destruction. Paying does not buy certainty; it buys a criminal group's word. For public sector defenders holding irreplaceable biometric and identity data, that is a poor trade, and the 45,487 residents remain exposed no matter what the negotiation transcript says.

The Attack Technique

The likely entry route was a brute-force attack against exposed credentials rather than exploitation of a software vulnerability. Once inside, Kairos operated quietly for roughly two weeks, staging and exfiltrating over 1.6 million files without triggering the disruption that an encryption event would have caused. The absence of a noisy locker payload is exactly what allowed the theft to proceed undetected until the victim was already listed on the leak site. Kairos has run this playbook since November 2024 and has listed 88 victims to date, marking it as an established, repeat operation rather than an opportunistic one-off.

What Organizations Should Do

Sources: Ransomware Without Encryption: $1m US Gov Payout