
TL;DR
A US government agency paid the Kairos extortion group nearly $1 million to keep the stolen files secret, according to a Ransom-ISAC case study based on leaked conversation chats and blockchain analysis. Clues point to Union County, Ohio, although neither party has confirmed this. This case shows how much of today’s ransomware involves no encryption at all.
A US government agency has paid nearly $1 million to prevent the publication of stolen files. according to one case study By Rakesh Krishnan, researcher for Ransom-ISAC. The analysis is based on the leaked negotiation chat and the blockchain tracks the payment backlog.
The group behind the deal calls itself Kairos, but it may not be a ransomware gang in any traditional sense. Reportedly, Krishna was found to have neither an encryption nor a locker nor a demand for a decryption key, just the stolen files and a price for their secret storage.
The study did not name the victim, but filenames in the burglary evidence samples, including an archive named union.rar, point to Union County, Ohio. Neither the county nor Kairos has confirmed the connection, and The Hacker News said it has reached out to the county for comment.
The clues coincide with the real event. In May 2025, Union County discovered ransomware on its network and later 45,487 people were informed Information was obtained, including Social Security numbers, fingerprints and passport information.
If the identity is verified, a county of about 70,000 residents made a $1 million payment that has never been made public. According to reports, the attacker most likely relied on a folder marked “prosecution” and warned that the leak would help criminals avoid charges.
Anatomy of a $1 million contract
According to the samples, the negotiations lasted about a month. Kairos launched at $3 million and claims to store more than 2 TB of data on approximately 1.6 million files.
The county reportedly countered with $100,000 and went up to $430,000, while Kairos dropped to $2 million before making the $1 million deadline. The victim paid ten times the opening bid on June 13, 2025.
The payment of about 9.44 bitcoins was equivalent to about $1 million at that week’s market prices. Within hours, it was reportedly split and diverted from the wallet chain to deposits on Bybit, OKX and BELQI. Earlier ransomware laundering through WEX and BTC-e.
It gives this kind of tracking investigators cause more than personalities. Criminal gangs spent years Refining how they launder cryptocurrency through mules, mixers and freely adjustable exchanges.
What the money buys is another question. Kairos handed over a “proof of deletion” file, but the list of file names only proves that the attacker saved the data once and promises to delete stolen data have been revealed before.
Ransomware without ransomware
Union County described the incident as ransomware, but nothing was encrypted in the Kairos case. A growing share of those who still carry that label are now skipping lockers altogether and using the stolen data itself as a pressure point, a playbook. recent extortion violations also targeted the private sector.
Sophos reported in 2025 Only half of ransomware attacks involved encryption, down from 70% a year ago and the lowest in six years. Silent Ransom Group, an offshoot of the Conti ecosystem, has spent years on the run Extortion without encryption against US law firmsdraws repeated FBI warnings.
The deal arc is also familiar. During the internal conversations of Kara Basta It leaked in February 2025one deal went from a $1.5 million ask to a $100,000 counter and $1 million payout, almost the same curve.
Kairos itself has gone silent, with its leak site offline and its last known victim posted in June 2026. The associated wallet was reportedly still transferring funds in May, so the dark leak site shouldn’t be read as a retired crew.
Unusual lessons
Pickups for small government networks are intentionally boring. Kairos claimed to log in by guessing a password, so multi-factor authentication and warnings on repeated failed logins would have greatly increased the cost of login.
Defenders should also look at external transfers and file sharing links, such as the temp.sh addresses used by the attacker, and keep segmented legal and civil records from the wider network. First of all, how much does it cost the thief to write a receipt for the deleted data.





