A recent case study by Rakesh Krishnan for Ransom-ISAC has revealed that a U.S. government entity paid approximately $1 million to prevent stolen data from being publicly released. This payment was made to a group identifying itself as Kairos, which appears to have employed unique extortion tactics, diverging from traditional ransomware approaches.
The Kairos Extortion Strategy
Unlike conventional ransomware attacks, Kairos did not encrypt any systems or demand a decryption key. Instead, they threatened to release stolen files unless a ransom was paid. The case study suggests that the targeted entity may be Union County, Ohio, as evidenced by file names and chat logs indicating a focus on sensitive files related to the prosecutor’s office.
In May 2025, Union County reported a ransomware incident affecting over 45,000 residents and staff, with data including Social Security and passport numbers compromised. However, neither Kairos nor the county has confirmed the connection to this specific extortion case.
Negotiation Dynamics and Payment
The negotiation between Kairos and the county lasted about a month, starting with Kairos demanding $3 million for over 2 terabytes of data. The county’s initial offer was $100,000, which eventually rose to $1 million, the final sum agreed upon. On June 13, 2025, the payment was made in bitcoin, totaling about 9.44 BTC, which was swiftly transferred through various crypto exchanges.
Despite receiving a “proof of deletion” file from Kairos, the assurance that the data was permanently erased remains questionable. The traces left by the blockchain transaction offer leads for investigators but no concrete evidence of the data’s destruction.
Shifting Ransomware Tactics
This case highlights a broader shift in ransomware tactics, where encryption is increasingly bypassed in favor of data theft and extortion. In 2025, Sophos reported that only half of ransomware incidents involved any encryption. Groups like the Silent Ransom Group have completely abandoned encryption, focusing solely on data theft extortion.
The pattern of negotiations observed in the Kairos case mirrors other incidents, such as the Black Basta negotiations and earlier Conti leaks, showcasing common strategies used in these cybercrime operations.
Lessons and Precautions
For small government networks, the incident underscores the importance of robust cybersecurity measures. Implementing multi-factor authentication, monitoring for unusual login attempts, and securing sensitive data are critical steps. Organizations should also prepare public communication strategies in advance and remain skeptical of any assurances of data deletion following extortion payments.
While Kairos has gone silent, with their last recorded victim in June 2026, their financial activities continue, demonstrating that the absence of a public leak site does not equate to the cessation of operations. This ongoing threat necessitates vigilance and preparedness in the face of evolving cyber extortion tactics.
