Cyber Security

The autopsy of a secret million dollar county ransom payment

An autopsy of the $1 million secret payment by a U.S. county to the Kairos group, exploring the shift from encryption to pure data-theft extortion.
The autopsy of a secret million dollar county ransom payment

I spent a quiet Tuesday evening reviewing a series of leaked negotiation logs provided by a source through a secure Signal channel. There is a specific kind of dread in watching a public official realize their annual budget is about to vanish into a decentralized crypto wallet. The logs, analyzed by Rakesh Krishnan for Ransom-ISAC, detail a month of high-stakes bargaining between a group calling itself Kairos and a U.S. government entity that appears to be Union County, Ohio. The final price for silence was approximately $1 million.

The breach follows a methodical chain of events that started with a simple failure. The attacker claims they entered the network by guessing a password. There was no zero-day exploit and no complex social engineering. Once inside, the intruder bypassed traditional defenses because they were not looking to break things. They wanted to take things. From a risk perspective, this incident marks a shift in how modern extortionists operate. They have realized that the effort required to encrypt a whole network is often unnecessary. Stolen data is a toxic asset, and the threat of its release provides all the leverage a criminal needs.

The paper trail of a quiet surrender

The transaction occurred on June 13, 2025. A payment of 9.44 bitcoin moved from the victim to a wallet controlled by Kairos. At the time, this amount was worth roughly $1 million. While the county publicly acknowledged a ransomware attack in May 2025, the specifics of this massive payment remained hidden until researchers reconstructed the timeline from leaked chats and blockchain records. The victim in the chat described itself as a small county with limited resources, a description that matches the profile of Union County, which serves about 70,000 residents.

The data at stake was immense. Kairos claimed to possess more than 2 terabytes of information, including 1.6 million individual files. Among these were documents from the local prosecutor’s office. The attacker understood the value of this specific folder. They warned the victim that leaking these records would provide criminals with the information needed to evade charges. Behind the scenes, the pressure worked. The county started its negotiation at $100,000 and eventually increased its offer to ten times that amount to prevent a public data dump.

The anatomy of a pure extortion play

Kairos is part of a growing trend of threat actors who have abandoned encryption entirely. In a traditional ransomware attack, the criminal locks the victim’s files and sells the decryption key. Kairos skipped that step. They functioned more like a digital burglar who steals the family jewels and then offers to sell them back to the owner for a fee. The victim’s systems remained operational, but their reputation and the privacy of 45,487 residents were in jeopardy.

Sophos reported in 2025 that only about half of ransomware attacks still involve encryption. This is the lowest rate in six years. Groups like Silent Ransom Group and Kairos have realized that data theft extortion is quieter and often harder to detect than a loud, network-wide encryption event. By design, these attacks stay under the radar of many traditional antivirus tools that look for the rapid file modification signatures of an encryptor. Consequently, a thief can sit on a network for weeks, slowly exfiltrating data through burner file-sharing links like temp.sh, without triggering a single alarm.

Follow the money to the exchanges

Once the 9.44 bitcoin hit the Kairos wallet, the laundering process began immediately. I have spent years tracking malicious actors across the blockchain, and the path this money took is a familiar one. Within hours of the payment, the funds were split across multiple new addresses. This is a common tactic to obscure the origin of the coins before they reach an exit point. The money eventually flowed toward deposit addresses at Bybit and OKX, along with a Russian service called BELQI.

These crypto exchanges are the final destination where digital assets become spendable cash. While the blockchain provides a public ledger of every move, these exchanges often serve as a fog of war for investigators. Unless the exchange complies with international subpoenas, the trail often goes cold at the deposit address. The use of BELQI is particularly telling. It suggests a comfort level with the Russian financial ecosystem, which remains a frequent haven for extortionists who operate outside the reach of Western law enforcement.

The illusion of the proof of deletion

When the county paid the $1 million, Kairos provided a file as proof of deletion. This file contained a list of file names that the attacker claimed were now erased. This is the architectural paradox of modern extortion. A victim pays for an action they can never truly verify. A list of file names only proves that the attacker once had access to the data. It offers no guarantee that the attacker did not keep a copy or sell the data to another group before the deletion happened.

Treating a promise from a thief as a receipt is a dangerous gamble. In the event of a breach, the data is already compromised. The confidentiality of the CIA Triad is broken the moment the first terabyte leaves the network. Paying the ransom is a reactive measure that attempts to buy back a reputation that has already been damaged. It is an act of faith written by a criminal. Looking at the threat landscape, these payments often fund the next round of attacks, creating a cycle that targets other vulnerable government entities.

Securing the underfunded network

The most frustrating part of the Kairos case is the simplicity of the entry point. The attacker claimed they got in by guessing a password. This is a reminder that the network perimeter is an obsolete castle moat if the gate is left unlocked. Small government networks often struggle with legacy systems and thin IT budgets, but the solutions to these problems are not always expensive. They require a shift toward a more resilient security posture.

Proactively speaking, the first line of defense is the human firewall. However, even the best-trained employees cannot stop a brute-force attack on a service that lacks multi-factor authentication (MFA). If an attacker can guess a password and gain access, the system has failed at the architectural level. Security is not a product you buy; it is a process you follow. For a county government, that process must include strict access controls and the segmentation of sensitive data.

Key takeaways for public and private entities

  • Enforce multi-factor authentication on every external-facing service. Password guessing remains the most common way for groups like Kairos to gain a foothold.
  • Monitor for large outbound data transfers. An attacker moving 2 terabytes of data should trigger an immediate investigation in a well-monitored SOC.
  • Segment your network. Keep the prosecutor’s office, HR records, and financial data in isolated zones. This prevents a thief from accessing the entire crown jewels after compromising a single low-level account.
  • Audit your file-sharing traffic. Block or alert on transfers to temporary hosting sites like temp.sh, which are frequently used for exfiltration.
  • Assume the data is gone. Once data is stolen, no payment can truly restore its confidentiality. Prioritize prevention and detection over negotiation.

Sources and further reading

  • Ransom-ISAC: Case Study on Kairos and Union County, Ohio (2025)
  • Sophos: State of Ransomware Report 2025
  • NIST: Guide to Data Confidentiality and Extortion Defense (SP 800-209)
  • MITRE ATT&CK: Exfiltration Over Web Service (T1567)

Disclaimer: This article is for informational and educational purposes only. It does not replace a professional cybersecurity audit, forensic investigation, or incident response service. Always consult with legal and technical professionals when responding to a live security incident.

bg
bg
bg

See you on the other side.

Our end-to-end encrypted email and cloud storage solution provides the most powerful means of secure data exchange, ensuring the safety and privacy of your data.

/ Create a free account