Key Takeaways
- A U.S. government entity paid a $1 million Bitcoin ransom to the Kairos extortion group to stop the leak of data stolen in a May 2025 breach.
- Kairos initially demanded $3 million in cryptocurrency but accepted a negotiated settlement of $1 million after a three‑week bargaining period.
- The attackers claimed to have exfiltrated over 2 TB of data (≈1.6 million files) via a brute‑force intrusion into the victim’s network.
- During negotiations, the victim’s offer rose from $100,000 to $430,000 before conceding to the $1 million demand under a hard deadline.
- Ransom‑ISAC classified the incident as a pure extortion attack—no file‑encrypting ransomware was deployed—and noted that the attackers’ proof‑of‑deletion was selective and unverifiable.
- The victim has been identified as a small Ohio county (likely Union County), which later notified 45,487 individuals of the compromised personal data.
- The stolen information encompassed a broad range of sensitive identifiers, including SSNs, driver’s license numbers, medical and financial details, and biometric fingerprint data.
- The case underscores the growing threat of data‑theft extortion targeting under‑resourced governmental bodies and highlights the limitations of relying on attacker‑provided deletion proofs.
Overview of the Ransom Payment and Negotiation Outcome
In May 2025, a U.S. government entity fell victim to a cyber intrusion carried out by the Kairos ransomware‑extortion group. After gaining access, Kairos threatened to publish the stolen data unless a ransom was paid. According to a leaked negotiation transcript obtained by Ransom‑ISAC, the organization ultimately agreed to pay $1 million in Bitcoin on June 13, 2025, to prevent public disclosure. The payment concluded a tense three‑week bargaining process in which the victim attempted to limit its financial exposure while coordinating internal responses.
Details of the Ransom Demand and Settlement Amount
Kairos opened negotiations with a steep demand of $3 million in cryptocurrency, reflecting the perceived value of the exfiltrated dataset. Over the course of the dialogue, the victim incrementally raised its offer from an initial $100,000 to a peak of $430,000. Despite these increases, the attackers held firm, imposing a hard deadline that left the victim with little room to maneuver. Faced with the prospect of imminent data leakage, the entity conceded to the attackers’ lowered but still substantial demand of $1 million, settling the dispute in Bitcoin.
Scope of Stolen Data and Attack Method
The extortion group asserted that it had harvested over 2 terabytes of data, equivalent to roughly 1.6 million files, from the victim’s environment. The intrusion was achieved through a brute‑force attack that compromised authentication mechanisms, allowing Kairos to navigate the network and exfiltrate files undetected. The volume and variety of the stolen material suggested a comprehensive scrape of file servers rather than a targeted theft of specific datasets.
Negotiation Dynamics and Timeline
Throughout the three‑week negotiation window, Kairos employed psychological pressure by threatening imminent public release of the data while simultaneously controlling the timing of communications and providing intermittent proof‑of‑access artifacts. The victim’s strategy appeared to focus on buying time to align legal, leadership, financial, and communications teams—a stance highlighted by Ransom‑ISAC’s observation that the entity’s responses were consistent with an organization coordinating a multi‑faceted internal response under duress.
Ransom‑ISAC Assessment and Nature of the Attack
Ransom‑ISAC characterized the incident as a pure extortion operation, emphasizing that no file‑encrypting ransomware was deployed. Instead, the attackers relied solely on the threat of data exposure to extract payment. The organization noted that while Kairos supplied “proof‑of‑deletion” materials, these were selective and not comprehensive, raising doubts about whether the attackers had truly erased all copies of the stolen information.
Proof of Deletion and Verification Issues
The proof‑of‑deletion artifacts provided by Kairos could have been fabricated by simply deleting a duplicate copy of the data, with no independent mechanism offered for the victim to verify that the original exfiltrated set had been destroyed. Ransom‑ISAC warned that such unverifiable claims are common in extortion schemes, allowing attackers to retain leverage even after a payment is made. This limitation underscores the risk inherent in relying on attacker‑provided assurances when negotiating ransom settlements.
Identification of the Victim and Subsequent Notification
Although Ransom‑ISAC withheld the victim’s name, the negotiation transcript identified the organization as “a small county with very limited resources.” Subsequent investigative reporting linked the description to Union County, Ohio. In September 2025, the county issued a public notice (PDF) informing 45,487 individuals that their personal information had been compromised in the May 2025 ransomware‑related breach. The disclosure fulfilled statutory breach‑notification obligations and aimed to mitigate potential harm to affected residents.
Types of Compromised Personal Information
The breach exposed a wide array of sensitive data fields, including:
- Full names and dates of birth
- Driver’s license or state identification numbers
- Passport numbers
- Social Security numbers
- Financial account details (e.g., bank account and credit‑card numbers)
- Fingerprint biometric data ) information
- Medical information
- Payment card details
This combination of identifiers presents a heightened risk of identity theft, financial fraud, and misuse of biometric data, amplifying the potential harm to the individuals whose data was taken.
Broader Context and Related Incidents
The Union County case appears within a larger trend of cyberattacks targeting governmental and corporate entities exploiting known vulnerabilities in widely used platforms. Shortly after the Union County disclosure, other notable incidents were reported, including a data breach affecting 4.38 million Aflac Japan customers, an Oracle PeopleSoft hack that compromised Nissan employee data, and an intrusion impacting the National Association of Insurance Commissioners (NAIC). These events illustrate how attackers repeatedly leverage similar tactics—credential‑stuffing, brute‑force, and exploitation of legacy systems—to harvest valuable data across sectors.
Conclusion and Implications for Public Sector Cybersecurity
The Union County ransom‑extortion episode serves as a stark reminder that even small, resource‑constrained government bodies are attractive targets for financially motivated cybercriminals. The incident highlights several critical lessons: the necessity of robust authentication defenses to thwart brute‑force incursions; the value of maintaining offline, encrypted backups to reduce reliance on attacker‑provided deletion proofs; and the importance of establishing clear, pre‑negotiated ransom‑response policies that involve legal, financial, and communications stakeholders. As extortion‑only campaigns continue to rise, public‑sector organizations must prioritize proactive threat detection, regular security awareness training, and incident‑response planning to mitigate the likelihood and impact of future breaches.

