

On June 13, 2025, a small county government in Ohio transferred approximately 9.44 bitcoin, worth about $1 million at the time, to an extortion group it had been negotiating with for the better part of a month. No files were decrypted as a result. There was nothing to decrypt. The group, which calls itself Kairos, had never encrypted anything. They had stolen files, and they were charging for their silence.
The case was documented in a Ransom-ISAC case study by researcher Rakesh Krishnan, built on a leaked negotiation chat and the blockchain trail the payment left behind. It is one of the cleaner illustrations available of how the economics of ransomware-style extortion have shifted: encryption is no longer required. If the data is sensitive enough, the threat to publish it is sufficient. And the victim pays whether the attacker can decrypt anything or not.
Kairos does not fit the standard profile of a ransomware operation. Most groups in that category rely on an encryptor: software that locks the victim's files behind a key the attacker holds. The victim pays to get the key. The economics depend on the victim needing their data back in working order and being unable to restore it from backup quickly enough.
Kairos skips the encryptor entirely. Krishnan found no evidence that the group has ever deployed one: no locker, no encryptor, no demand for a decryption key. The threat is simpler. Steal the files. Threaten to publish them. Charge for silence. The victim in this case called what happened to them "ransomware," the word most organisations reach for when an attacker takes their data. But the label obscures the mechanism. This was data-theft extortion, and that distinction matters when evaluating response options.
The absence of encryption changes the victim's negotiating position. In a ransomware incident, the victim is negotiating for something the attacker holds: a working decryption key. In a pure extortion case, the victim is paying for a promise that the attacker will not publish files they still hold. The attacker's incentive to honour that promise is reputational. Publishing after payment damages their credibility with future victims. But the victim has no technical means to verify whether the data was deleted, who else in the attacker's network received copies, or whether the attacker will return with the same threat in six months.
Krishnan does not name the victim, but the evidence in the negotiation chat points consistently toward Union County, Ohio. The proof-of-theft files the attacker shared carry file names including Union.xlsx, a document titled "1 union co psi template.doc," and a final archive named union.rar. The victim describes itself in the chat as a small county with limited resources. One folder in the stolen data, marked "prosecutors office," becomes a central lever in the attacker's pressure campaign.
The connection to a real incident is not speculative. In May 2025, Union County, Ohio, publicly disclosed that it had detected what it called ransomware on its network. The county subsequently notified 45,487 residents and staff that their data had been taken. Union County has a population of roughly 70,000. The stolen records included Social Security numbers, financial details, fingerprints, and passport numbers. Neither the county nor Kairos has publicly confirmed the connection to Krishnan's case study, but the details align. The Hacker News contacted the Union County Commissioners' Office for comment.
For the purposes of understanding the attack, the identity of the victim is less important than the profile: a county government, modestly resourced, holding sensitive data on a large population, and not prepared for a threat actor willing to invest a month of negotiation time in extracting maximum payment.
The negotiation ran for approximately four weeks. Its structure follows patterns that specialists in extortion response have documented across many incidents. Kairos opened at $3 million, citing a claimed total of more than 2 terabytes of data, approximately 1.6 million files. The county's opening counter was $100,000.
From there, the negotiation followed an escalating step pattern on the victim's side and a declining but hardening pattern on the attacker's side. The county moved to $255,000, then to $430,000. Kairos dropped from $3 million to $2 million. Then, at what the attacker declared to be a final deadline, they set a number: $1 million, payable by the end of that week, or the files would be published. They reinforced the deadline with a countdown timer and explicit threats to release the prosecutors office folder first, on the grounds that those files could help active criminal suspects avoid charges.
The county paid. The final amount, $1 million, was ten times the opening counter-offer. The negotiation arc is familiar to anyone who works in ransomware response: victims who start low and move in small increments often end up paying close to the attacker's final position, because each concession from the victim signals that more concessions are available. The attacker's willingness to set a hard deadline and name a specific consequence, the release of the most sensitive folder, is a well-documented pressure technique.
The payment of roughly 9.44 bitcoin moved on-chain on June 13, 2025, and Krishnan traced what happened next. Within hours of the payment landing in the Kairos-linked wallet, it was split into two portions and pushed through a chain of intermediate wallets. The final destinations were deposit addresses tied to three services: Bybit, OKX, and a Russian cryptocurrency service called BELQI.
This kind of blockchain tracing is standard practice in ransomware investigations and hands analysts leads, not convictions. Knowing that money ended up at a specific exchange tells investigators which service to subpoena for know-your-customer records. It does not automatically identify the person who created the account. BELQI's inclusion is notable: Russian-linked services appear repeatedly in ransomware payment flows, both because of lighter regulatory pressure on outbound fund transfers and because some operators are based in Russia-proximate jurisdictions where international enforcement cooperation is limited.
The payment bought something in the sense that the files did not appear on a public leak site in the weeks following June 13. It may have bought nothing in a durable sense. Kairos provided a "proof of deletion" document, but a list of file names showing that the attacker once held those files does not confirm that the originals were wiped. Copies could exist elsewhere in the attacker's infrastructure. The victim has no way to know, and the attacker has no independent incentive to delete data that might have future value.
The Kairos case is unusual in degree, not in kind. Sophos reported in 2025 that only approximately half of ransomware-category attacks now involve file encryption. The other half are variations of the Kairos model: data is stolen, publication is threatened, payment is demanded. The industry term for this is data-theft extortion or, in cases where a ransomware group conducts it alongside encryption, double extortion. When there is no encryption at all, "ransomware" is a misnomer, but the threat actors still benefit from the label because victims and insurers understand it and treat it with appropriate urgency.
The structural reason for the shift is straightforward. Deploying an encryptor requires the attacker to obtain administrative access across the victim's network, typically by moving laterally from an initial foothold. That movement generates logs, triggers endpoint detection, and gives the defender windows to interrupt the attack. Exfiltrating data requires the same initial access but far less lateral movement. In many cases, an attacker can reach a file share or a database backup location from a single compromised endpoint. The threat surface for data-theft is smaller, and the attack leaves fewer traces.
For victims, the practical implication is that backup and recovery strategies, which are the primary technical defence against file-encrypting ransomware, provide no protection against data-theft extortion. An organisation that can restore all its systems from clean backups within 24 hours is still exposed to the threat of having its data published. The defences against the two threats overlap but are not identical.
Government entities present a specific problem profile in data-theft extortion. Their data tends to be highly sensitive: voter records, court documents, tax data, fingerprint databases, information on vulnerable populations. The threat to publish is credible because the data is genuinely damaging and the victims of the breach, residents and staff, are third parties who did not choose to negotiate. This creates reputational and legal pressure on the entity that is separate from the operational disruption of a system outage.
Union County's disclosure that 45,487 individuals had their data taken, including fingerprints and passport numbers, is exactly the kind of notification that makes future extortion threats credible. An attacker who can demonstrate they hold biometric data on tens of thousands of people is not bluffing about the harm of publication. Paying may delay that harm. It does not prevent it, because the deletion promise is unverifiable.
The practical response for government security teams is to focus defences on the exfiltration point. Data-theft extortion requires the attacker to move a significant volume of files, 2 terabytes in the Kairos case, to an external location. That volume of outbound transfer on a county government network should trigger an alert. It may not trigger one if the data movement is spread over time or disguised as routine backup traffic, but organisations with network monitoring that inspects outbound flows have a detection opportunity that those without do not.
Segmenting sensitive data repositories, particularly prosecutors office files and biometric databases, limits the volume an attacker can reach from a single compromised position. The most sensitive data in the Kairos case was held in a single folder location that the attacker could reach and threaten to release as a unit. Distributing sensitive data across well-segmented systems, with different access controls for each, increases the cost of bulk exfiltration and reduces the attacker's ability to make a single targeted threat about the most damaging material.
Payment decisions in public-sector incidents involve legal and political considerations that private-sector victims do not face in the same way. The Kairos payment appears to have never been publicly disclosed by Union County, which raises questions about the obligations governments have to inform the public when they pay for their data's silence. This is an open policy question in most jurisdictions, but it points toward the need for clearer frameworks around when and how public entities are required to report extortion payments alongside data-breach notifications.
One of the most consequential aspects of the Kairos case is what the payment bought. After the transfer of 9.44 bitcoin on June 13, 2025, Kairos sent a "proof of deletion" file. This is standard practice in extortion cases where the threat is data publication rather than system disruption. The file is essentially a list of file names or paths that confirms the attacker once held specific files. It does not, and cannot, confirm that those files have been deleted.
There is no cryptographic proof of deletion. Proving that data no longer exists in a computer system is an unsolved problem in information security. Any document purporting to be proof of deletion is authored by the same party who made the threat, using whatever format they choose, verified by no independent third party. The victim cannot audit the attacker's infrastructure. They cannot confirm that copies were not made before deletion, shared with associates, or retained for future use. They are paying for a promise, and the receipt is written by the extortionist.
This problem is structural, not specific to Kairos. Every extortion payment made in exchange for data non-publication faces the same epistemic limit. Law enforcement agencies and incident response specialists consistently advise that paying does not guarantee data deletion, and empirical evidence from cases where payments were traced confirms that re-extortion from the same data occurs. A victim who pays once is identified as willing to pay, which makes them a more attractive target for a second demand, whether from the same group or from a buyer of the initial intelligence about the victim's willingness to negotiate.
The Kairos case raises questions about disclosure obligations that apply specifically to public entities. Union County, if it is the victim in question, publicly disclosed in May 2025 that it had detected what it called ransomware and that data had been taken. The subsequent payment of $1 million in June 2025 was apparently not publicly disclosed. For a private company, non-disclosure of an extortion payment is a business decision with potential insurance implications. For a county government, the question of whether an extortion payment from public funds requires public disclosure is a governance question that most jurisdictions have not yet answered clearly.
Cyber extortion payments occupy a grey area in many legal frameworks. Ransomware payments to entities on OFAC's Specially Designated Nationals list are prohibited in the United States, but Kairos is not currently on that list. Beyond OFAC compliance, there are no broadly applicable legal requirements in the United States for private or public entities to disclose extortion payments, as distinct from the breach notification requirements that apply to the data theft itself. The gap between "we were breached and data was taken" (disclosed) and "we paid $1 million to the group that took the data" (not disclosed) reflects this regulatory vacuum.
For insurers, extortion payments are a significant claims category. Many cyber insurance policies cover extortion payments as a named peril, but coverage terms vary on conditions including whether the payment was made before or after notifying the insurer, whether the insurer pre-approved the payment amount, and whether payment was made to a prohibited entity. Organisations negotiating with extortionists while simultaneously managing their insurance relationship face a complex set of concurrent obligations. The Kairos negotiation ran for four weeks. Four weeks of negotiation while managing communications with an insurer, a legal team, a public affairs function, and an IT incident response team simultaneously is a challenge that most county governments are not staffed to handle well.
The Kairos case offers enough detail to identify the moments in the negotiation where different decisions might have produced different outcomes. That detail makes it useful as a planning reference for organisations developing a data-theft extortion response capability.
The pre-incident controls that reduce exposure to this class of attack start with data classification and segmentation. The most potent threat Kairos held was the prosecutors office folder, a single categorised archive of highly sensitive files that the attacker could credibly threaten to release first. That threat exists because sensitive data was accessible from a compromised position and identifiable as sensitive. An organisation where the most sensitive data requires additional authentication, lives in a separately monitored repository, and cannot be bulk-exfiltrated without triggering an alert is not invulnerable to data theft, but it reduces the attacker's ability to construct a targeted threat around the most damaging material.
During an incident, the negotiation posture matters. The Union County negotiation pattern, starting at a low counter-offer and making incremental concessions, is a pattern that extortion specialists advise against precisely because it signals that the victim is willing to increase their offer. A more effective pattern, when negotiation is the chosen response, is to move more slowly and make each concession contingent on specific attacker actions, such as providing additional proof of the data held or demonstrating good faith through partial deletion of lower-sensitivity material. This approach does not guarantee a better outcome, but it slows the attacker's timeline and creates more opportunities for parallel response work including law enforcement notification and forensic investigation.
Post-incident, the two most consequential actions are engaging a specialist incident response firm with extortion negotiation experience and notifying law enforcement. FBI's Internet Crime Complaint Center and CISA both accept reports of cyber extortion incidents, and law enforcement notification does not foreclose the option of paying. It does create a record that may be useful for subsequent investigations and provides access to intelligence about the specific group that the organisation does not have independently.
The Kairos case will not be the last instance of a public entity paying millions to keep stolen data from publication. The shift away from file-encrypting ransomware toward pure data extortion makes the underlying threat more persistent: the attacker's power exists as long as the data exists and the victim does not want it published. Organisations that have experienced a breach, disclosed it, and notified affected individuals still face this threat from the data that was taken. Treating the notification letter as the end of the incident is a planning error that the Kairos case makes very clear.
Attackers who steal credentials, authentication tokens, or employee data do not sit on that material for long. They sell it, use it themselves, or both. Defendis monitors the underground markets, leak sites, and closed communities where that data surfaces, giving security teams advance warning before stolen access becomes a compromised account. If credentials belonging to your organisation appear after a browser-based theft, an OAuth token heist, or a phishing campaign, Defendis surfaces the exposure so your team can act before the attacker does. Learn how early detection changes incident outcomes or request a tailored briefing for your organisation.