A U.S. government entity reportedly paid approximately $1 million to a cybercriminal group named Kairos to prevent the leak of stolen data. This revelation comes from a new Ransom-ISAC case study analyzing leaked negotiation transcripts and blockchain transaction data. The group, Kairos, allegedly operated as a data extortionist rather than a traditional ransomware gang, as no evidence of data encryption or locking of systems was found.
The unearthed details suggest the victim could be Union County, Ohio. Proof-of-theft files discovered during the investigation contained file names such as “Union.xlsx” and “1 union co psi template.doc,” indicating a connection to the county. The attackers emphasized the sensitivity of data held within a “prosecutors office” folder, warning of its potential to aid criminals in evading legal consequences. These findings align with a reported cybersecurity incident in May 2025, where Union County acknowledged a network intrusion and subsequent data theft affecting a significant portion of its residents and staff, with compromised records including Social Security numbers, financial details, fingerprints, and passport information.
The Evolving Landscape of Data Extortion
The case study highlights a significant shift in cybercriminal tactics, where the threat of data leakage has become a primary extortion tool, often bypassing the use of encryption altogether. This trend is supported by recent industry reports, which indicate a decline in ransomware attacks involving encryption. For instance, Sophos reported in 2025 that encryption was present in only about half of ransomware attacks, a six-year low. Some cybercriminal groups have ceased employing encryption entirely, focusing instead on the exfiltration and subsequent threat of leaking sensitive information.
Groups like Silent Ransom Group, an offshoot of the notorious Conti syndicate, have reportedly conducted successful data theft and extortion operations against U.S. financial and legal firms without deploying any encryptors. This strategic shift makes it more challenging for victims to recover compromised data, as the primary threat is not system inaccessibility but the irreversible public disclosure of sensitive information.
Negotiations and Payment Trails
The leaked chat logs reveal a protracted negotiation between Kairos and the unnamed government entity, spanning roughly a month. Kairos initially demanded $3 million, claiming to possess over two terabytes of data, encompassing approximately 1.6 million files. The victim’s counteroffers began at $100,000, gradually increasing to $255,000 and then $430,000. Kairos eventually reduced its demand to $2 million before setting a firm deadline of $1 million, payable by a specific Friday, to prevent the public release of the stolen data.
The government entity ultimately complied with the demand, making a payment of approximately 9.44 bitcoin, valued at about $1 million at the time, on June 13, 2025. The blockchain trail indicates that the funds were quickly split and moved through multiple wallets, with deposit addresses linked to cryptocurrency exchanges such as Bybit, OKX, and a Russian service named BELQI. While this tracing provides leads for investigators, it does not guarantee the secure deletion of the exfiltrated data.
Following the payment, Kairos provided a “proof of deletion” file. However, the case study notes that a list of file names merely confirms the attacker’s access to the data, not its actual destruction. This underscores the inherent risk in paying extortion demands for data deletion, as victims are left with the thief’s word as their only receipt.
Implications for Government Entities
The alleged incident involving Union County, Ohio, if confirmed, points to a substantial, undisclosed payment made by a local government organization with limited resources. The county’s public statements at the time described the incident as ransomware, a common designation even when encryption is not involved. The core threat in such attacks is the exploitation of stolen data itself.
The negotiation patterns observed in the Kairos incident bear striking similarities to those seen in previous data breach cases. An analysis of leaked internal chats from the Black Basta ransomware group in February 2025 revealed a similar negotiation arc, starting with a $1.5 million demand, a $100,000 counteroffer, and an eventual payment of $1 million. These leaks, along with earlier disclosures from Conti in 2022, provide researchers with valuable insights into the methods and strategies employed by these criminal organizations.
While Kairos appears to have recently gone silent, with its last known victim appearing in June 2026, a wallet associated with the operation was still active as of May 2026. This serves as a reminder that the dormancy of a leak site does not necessarily signify the cessation of a criminal group’s activities.
Key Takeaways and Future Outlook
For smaller government entities managing public networks, the lessons learned from this cybersecurity incident are critically important. Experts emphasize the necessity of implementing robust security measures, such as multi-factor authentication, which Kairos reportedly bypassed by guessing a password. Vigilance against suspicious activities like repeated failed login attempts, unusually large outbound data transfers, and the use of temporary file-sharing services (like the temp.sh links employed by Kairos) is crucial.
Additionally, segregating sensitive data, including legal, HR, and citizen records, from the main network can limit the impact of a breach. Having a pre-defined public statement plan is also advisable to manage communications effectively during a crisis. Most importantly, any promise from attackers regarding the deletion of stolen data should be treated with extreme skepticism and not relied upon as a guarantee of security.

