Union County Clues Point To $1 Million Kairos Data-Extortion Payment
A Ransom-ISAC case study says Kairos took about $1 million after stealing files without encrypting systems. Clues point to Union County, Ohio, but the public record does not confirm the link or prove the data was deleted.

A leaked negotiation record points to a U.S. county government paying about $1 million after attackers stole files rather than encrypting systems, turning the incident into a data-extortion case with no public proof that the files were deleted.
The case study by Rakesh Krishnan for Ransom-ISAC says the group calling itself Kairos demanded payment after taking data and threatening publication.
Krishnan found no sign of a locker, encryptor or decryption-key demand, so the pressure came from the threat of disclosure rather than from disabled machines.
Union County Clues Point To A Public-Sector Victim
Krishnan did not name the victim in the case study.
The disclosed clues pointed to Union County, Ohio, including file names such as Union.xlsx and union.rar, a reference to a small county with limited resources, and a folder marked prosecutors office.
Union County said in May 2025 that it detected ransomware on its network.
Union County's public notice said the county later notified 45,487 residents and staff that data had been taken, affecting most of the county's population.
The notice said the stolen records included Social Security details, financial information, fingerprints and passport numbers.
Neither the county nor Kairos has confirmed that the case study describes the Union County incident.
If the match is correct, the county paid a seven-figure ransom that was not disclosed in the public incident notice.
The Negotiation Moved From $3 Million To 9.44 Bitcoin
The negotiation ran for about a month, according to the case study.
According to the case study, Kairos opened with a $3 million demand and claimed it held more than 2 terabytes of data across about 1.6 million files.
The case study says the victim started with a $100,000 offer and later raised the offer before reaching $430,000.
The case study says Kairos lowered its demand to $2 million before setting a final $1 million deadline and threatened to publish the files if payment was not made by Friday.
The case study says the victim paid on June 13, 2025.
According to Rakesh Krishnan, the transaction was about 9.44 bitcoin, valued near $1 million when it was sent.
He traced the funds as they split and moved towards deposit addresses tied to Bybit, OKX and a Russian service called BELQI.
Data-Theft Extortion Leaves No Deletion Proof
Kairos sent what was described as a proof-of-deletion file after payment.
The case study says the file list showed that the attacker once possessed the files, not that the original copies had been erased.
For public-sector networks, the payment bought a promise from the attacker, not a verifiable recovery event.
In a classic encryption case, the operational test is whether systems can be decrypted and restored.
In a data-theft case, copies may remain with the attacker or with another party.
Sophos reporting cited in the account said in 2025 that only about half of ransomware attacks still involved encryption, the lowest rate in six years.
The same account compared the Kairos pattern with Silent Ransom Group, a Conti offshoot described as using data-theft extortion against U.S. law and finance firms without an encryptor.
The account said Kairos' leak site is now down, and its last known victim appeared in June 2026.
The case study says one wallet linked to the operation continued moving funds in May 2026.
Available public records did not disclose confirmation of the Union County link, a full copied-file inventory, proof that Kairos deleted the data, named criminal charges, or whether the county recovered the payment.














