U.S. County Pays $1M to Prevent Data Leak in Extortion Case

A U.S. government entity recently paid approximately $1 million to prevent the public release of stolen files, according to a case study by Rakesh Krishnan for Ransom-ISAC. The study, based on leaked negotiation chats and blockchain analysis, suggests that the entity involved is Union County, Ohio.

The extortion group, identifying itself as Kairos, did not deploy traditional ransomware tactics such as encrypting systems. Instead, they focused solely on data theft, threatening to publish sensitive information unless a ransom was paid. This method underscores a growing trend where cybercriminals bypass encryption and leverage stolen data as the primary means of extortion.

In May 2025, Union County reported detecting ransomware on its network and subsequently notified 45,487 residents and staff about the data breach. The compromised data included Social Security numbers, financial details, fingerprints, and passport numbers. While the county has not confirmed the connection to the Kairos group, the details align closely with the reported incident.

Negotiations between the county and Kairos spanned approximately a month. Kairos initially demanded $3 million, claiming possession of over 2 terabytes of data comprising around 1.6 million files. The county’s counteroffers began at $100,000, eventually increasing to $430,000. Kairos reduced their demand to $2 million before settling on a final ultimatum: $1 million to be paid by a specified Friday, or the data would be released publicly.

The county complied, transferring approximately 9.44 bitcoin (valued at about $1 million at the time) to Kairos on June 13, 2025. Blockchain analysis traced the funds as they were split and funneled through various wallets, eventually reaching deposit addresses associated with cryptocurrency exchanges Bybit, OKX, and the Russian service BELQI.

Following the payment, Kairos provided a “proof of deletion” file. However, this document merely listed filenames, offering no concrete evidence that the stolen data had been erased. This highlights the inherent risk in such transactions: victims must trust the word of the extortionists without verifiable proof of data deletion.

This incident reflects a broader shift in cyber extortion tactics. Traditional ransomware attacks, which involve encrypting a victim’s data and demanding payment for decryption keys, are becoming less common. Instead, cybercriminals are increasingly focusing on data theft and the threat of public exposure to coerce payments. A 2025 report by Sophos indicated that only about half of ransomware attacks still involved data encryption, marking the lowest rate in six years. Groups like the Silent Ransom Group, a Conti offshoot, have been conducting pure data-theft extortion campaigns against U.S. law and finance firms without deploying encryption tools.

The Kairos case underscores the evolving nature of cyber threats and the challenges organizations face in protecting sensitive information. As cybercriminals adapt their methods, entities must enhance their cybersecurity measures and develop comprehensive response strategies to mitigate the risks associated with data breaches and extortion attempts.