A U.S. county government reportedly disbursed $1 million to the Kairos cyber extortion group to avert the public release of sensitive data stolen during a breach in May 2025, according to Ransom-ISAC.
Details of the Cyber Extortion
Negotiation transcripts reveal that the hackers initially demanded $3 million in cryptocurrency from the targeted entity. However, after discussions, they accepted a reduced amount of $1 million. The Kairos group claimed to have exfiltrated over 2 terabytes of data, equivalent to roughly 1.6 million files, following a brute-force attack on the county’s systems.
The negotiation process spanned three weeks, during which the county incrementally raised its offer from $100,000 to $430,000. Eventually, they conceded to a hard deadline, finalizing the $1 million payment in Bitcoin on June 13.
Impact and Response
The cyber attackers applied pressure by threatening to release the data publicly, while simultaneously managing deadlines and providing proof of their access. Ransom-ISAC commented that the county’s responses were typical of an organization attempting to buy time while coordinating legal, leadership, and financial strategies.
This incident was classified as an extortion attack rather than a typical ransomware scenario, as no file encryption was involved. The extortionists offered evidence of data deletion, which appeared selective and not comprehensive. Furthermore, there was no independent verification of the data erasure.
Identification and Notification
Though Ransom-ISAC did not disclose the identity of the impacted organization, the negotiation transcript identified it as “a small county with very limited resources.” The entity in question is believed to be Union County, Ohio. In September, the county informed 45,487 individuals that their personal data had been compromised during the May 2025 attack.
The compromised information included personal identifiers such as names, dates of birth, driver’s license numbers, Social Security numbers, financial account details, as well as medical and payment card information. SecurityWeek reached out to Union County for a comment but awaits a response.
Related incidents, such as the Aflac Japan data breach and the Oracle PeopleSoft hack impacting Nissan employees, highlight the growing threat of cyber extortion.
