Conceptual image showing cybersecurity breach at U.S. government entity, involving data theft and extortion by Kairos.

A U.S. government entity paid roughly $1 million to keep stolen files from being published, according to a case study by Rakesh Krishnan for Ransom-ISAC, reconstructed from a leaked negotiation chat and the blockchain trail the payment left behind. The chat points to Union County, Ohio, though neither the county nor the attacker has confirmed the link. (Source: The Hacker News)

The attacker, a group calling itself Kairos, ran what looks like ransomware but wasn't. Krishnan found no encryptor, no locker, and no demand for a decryption key. Nothing on the network was encrypted. The only lever was the stolen data itself, and the threat to publish it.

That distinction matters for how you assess your own risk. This was pure data-theft extortion: steal the files, then charge the victim not to leak them. Union County called it ransomware because that's the word everyone reaches for, but the mechanics were different, and so are the defenses that would have stopped it.

The data at stake was exactly the kind of information a county holds and citizens can't get reissued easily. In May 2025, Union County said it detected the intrusion and later notified 45,487 residents and staff — most of a county of roughly 70,000 — that their records had been taken. Those records ran from Social Security and financial details to fingerprints and passport numbers.

The attacker singled out one folder marked "prosecutors office," warning that leaking it would help criminals dodge charges. That is why government agencies draw this kind of attention. A small county holds law enforcement files, court records, HR data, and citizen identity documents in one place, often on a network with limited staff and budget behind it.

Kairos itself said it got in by simply guessing a password. For a target that combines high-value data with thin security resources, that's the equation these crews are working with. The result here was a payment the county never publicly disclosed, made to a group that offered nothing in return but a promise.

Attack Chain and Data Exfiltration Tactics Used by Black Basta and Conti

The Kairos operation claimed it got initial access by guessing a password, the simplest form of credential-based entry. That single detail places the intrusion in the same category as most data-theft extortion cases: no exotic zero-day, just a weak or reused credential on an internet-facing service. For a small county network, that means an exposed remote access portal or a public login without multi-factor authentication was likely the entry point.

The negotiation and payment patterns tie Kairos to a lineage that runs through Conti and Black Basta, the two groups whose leaked internal chats now serve as the reference model for how these deals get made. When Black Basta's internal messages leaked in February 2025, analysts found a deal that moved from a $1.5 million demand to a $100,000 counter and settled at a $1 million payment. The Kairos chat followed almost the same arc, which suggests shared playbooks or operators who moved between crews.

Here is how the typical Conti and Black Basta attack sequence maps against what the Kairos case shows:

  • Initial access: credential guessing or reuse against exposed services, consistent with the password-guessing entry Kairos described.
  • Lateral movement: Conti and Black Basta operators historically used built-in Windows tooling and remote administration utilities to move between hosts, blending in with legitimate admin activity rather than dropping obvious malware.
  • Data discovery and staging: attackers hunt for high-value folders. In the Kairos case, the attacker singled out a folder marked prosecutors office, showing deliberate targeting of legal and citizen records rather than blind bulk collection.
  • Exfiltration: Kairos used burner file-sharing links, including temp.sh addresses, to move stolen files out. The attacker claimed to hold more than 2 terabytes across roughly 1.6 million files.
  • Extortion delivery: a leak-site listing, a countdown timer, tight deadlines, and threats to publish the most sensitive folders first.

The proof-of-theft artifacts in this case were ordinary filenames — Union.xlsx, 1 union co psi template.doc, and a final archive named union.rar. Those are not malware signatures; they are evidence the attacker had the data. For a defender, that distinction matters: the pressure came entirely from possession of files, not from any code left running on the network.

What separates Kairos from the encrypting ancestors is the missing step. Conti deployed a locker; Kairos did not. That aligns it more closely with the Silent Ransom Group, a Conti offshoot that has run pure data-theft extortion against U.S. law and finance firms for years with no encryptor at all. The affiliate relationship here is one of technique and negotiation style rather than confirmed shared infrastructure.

Sophos reported in 2025 that only about half of ransomware attacks still involve any encryption, the lowest rate in six years — and some crews have dropped it entirely.

The financial trail is its own forensic artifact. The roughly 9.44 bitcoin payment was split in two within hours and pushed through a chain of wallets toward deposit addresses tied to the exchanges Bybit, OKX, and a Russian service called BELQI. That routing gives investigators leads on cash-out points, not identities. A wallet tied to the operation was still moving money as recently as May 2026, meaning the group's infrastructure outlived its now-offline leak site.

The forensic indicators worth pulling from this pattern are the entry credential's failed-login trail, large outbound transfers to file-sharing hosts like temp.sh, and the timing between exfiltration and the first extortion contact. For an organization holding citizen or legal records, those signals mark the window between theft and demand — the only period when the data is out but not yet published.

Why Government and Law Enforcement Agencies Face Elevated Extortion Risk

The data an attacker holds when they hit a county government is not spreadsheets and budget files. In the Union County case, the stolen records included Social Security numbers, financial details, fingerprints, and passport numbers belonging to more than 45,000 residents and staff. When you hold that kind of data, the decision to pay is not really about restoring service. It is about what happens to the people whose information you were trusted to protect.

That is what makes government and law enforcement agencies a distinct kind of target. The attacker in this case leaned specifically on a folder marked "prosecutors office," warning that publishing it would let criminals dodge charges. When your data includes active case files, witness details, or juvenile records, the leak is not just embarrassing—it can compromise ongoing prosecutions and put people at risk. An attacker knows this, and prices the extortion accordingly.

The financial calculus works against you in a specific way. A small county calls itself a small county with limited resources, yet it paid ten times its opening offer—about $1 million—because the alternative was worse. Attackers read that willingness correctly. If you run public services, you cannot simply shut down and rebuild quietly; residents need vital records, courts need to function, and the political pressure to make the problem disappear falls on elected officials who answer to voters.

Public-sector breaches also carry disclosure obligations that private extortion often avoids. State breach notification laws required Union County to notify the affected residents once it determined data had been taken, which is how the resident count of 45,487 became public even though the payment was not. You end up managing two separate problems at once:

  • The extortion itself—a payment that may never be publicly disclosed but still leaves a blockchain trail investigators can follow, as this case showed.
  • Mandatory notification—breach laws and open-records expectations mean the incident becomes public regardless of whether you pay, so paying buys silence from the attacker, not from your own legal duties.
  • Trust with residents—the people whose fingerprints and passport numbers were taken have no way to change those, unlike a stolen password.

The receipt you get for that payment is worthless. Kairos sent a "proof of deletion" file, but it was only a list of file names—evidence that the attacker once had the data, not that any copy was destroyed. When you pay a pure data-theft group, you are trusting the word of the same party that stole from you.

Sophos reported in 2025 that only about half of ransomware attacks still involve any encryption, the lowest rate in six years.

That shift matters for how you assess your own risk. If the pressure point is stolen data rather than locked machines, then tested backups and fast recovery no longer protect you from the core threat. A group like this never needs to touch your ability to operate. It only needs a copy of the files you were supposed to keep private, and a folder name that tells it exactly which records will hurt the most if they surface. For a government agency, that folder almost always exists.

Detection and Immediate Response for Government and Finance Sector Organizations

The single most important action is to hunt for signs that data left your network before an extortion note ever arrives. In the Kairos case, the entire operation turned on quiet file theft, not encryption, so your detection has to focus on staging and exfiltration rather than the moment files get locked. Following the CISA layered defense model, work outward from identity and endpoint telemetry to network egress and recovery.

In the first 24 hours, treat any evidence of bulk data movement as the priority signal. Query process execution logs across endpoints for the tools attackers use to gather and compress files before shipping them out.

  • Use Velociraptor or osquery to pull process-creation events and flag abuse of rundll32, certutil, 7z.exe, and rar.exe outside normal admin windows. The final proof-of-theft archive in this case was a .rar file, so archive-tool activity on a file server is worth a hard look.
  • Review SMB traffic for one host suddenly reading large volumes across many shares, a pattern that points to a single compromised account walking the network.
  • Check for Volume Shadow Copy deletion via vssadmin delete shadows even in a data-theft case, since some crews delete backups to increase pressure.
  • Search endpoint and proxy logs for known Conti and Black Basta indicators, given that Kairos negotiation and payment patterns tie it to that lineage.

Isolate any host showing these signs from the network, but preserve it rather than reimaging. In environments Capstone manages, SentinelOne flags the archive-and-stage behavior above at the endpoint, before a full dataset is packaged for upload.

Across the first week, move to forensics and access review. Take full disk images of affected systems before any cleanup so you keep a defensible record of what was accessed.

  • Review email gateway logs for credential-harvesting messages or spear-phishing that could explain a guessed or captured password.
  • Audit VPN and RDP authentication logs for logins from unfamiliar geographies, impossible-travel pairs, and repeated failed attempts followed by a success — the fingerprint of password guessing against an internet-facing service.
  • Verify backup integrity and run an actual recovery test. Do not assume a backup restores until you have restored from it.

Adlumin monitors authentication patterns across managed environments, catching the login anomalies that indicate a stolen or guessed credential before an attacker starts pulling files. That matters here because the intrusion hinged on identity, not a software exploit.

Over the following weeks, close the structural gaps that let one compromised account reach citizen and case records. Segment the network so legal, HR, and resident data sit behind separate controls from general office systems, limiting how far lateral movement can spread.

Enforce MFA on every external-facing service — VPN, RDP, email, and remote admin portals — so a single password is no longer enough. Deploy behavioral analytics that alert on large outbound transfers to unfamiliar destinations, including temporary file-sharing hosts like the temp.sh links used to move stolen files in this case.

Finally, run a tabletop exercise built around a pure extortion scenario: no encryption, no downtime, only a threat to publish. Decide in advance who approves a public statement, who talks to law enforcement, and how you treat a promise of deletion — which, as this case showed, is a receipt written by the thief and worth nothing.

Extortion Negotiation, Payment Decisions, and Law Enforcement Coordination

The Union County payment reached about 9.44 bitcoin, and once it landed in the Kairos-linked wallet, it moved within hours toward deposit addresses tied to Bybit, OKX, and a Russian service called BELQI. That routing matters for your decision framework, because it changes a payment from a business transaction into a potential compliance event.

When you consider paying an extortion demand, the money does not just leave your accounts. It may flow to an entity or jurisdiction that carries sanctions exposure. The U.S. Treasury's Office of Foreign Assets Control (OFAC) has made clear that facilitating payments to sanctioned actors can trigger civil liability on a strict-liability basis, meaning you can be penalized even if you did not know who ultimately received the funds.

That is why any contact from an extortionist becomes a legal question before it becomes a financial one. If your organization is approached, the first calls are to your general counsel and the FBI, not to the attacker. Federal guidance directs victims to report extortion promptly so investigators can attempt the kind of blockchain tracing Krishnan performed here, which hands them leads even when it does not produce names.

The negotiation itself is not something you should run alone. In cases like this, specialized incident-response counsel and negotiation firms take over the chat, precisely because the emotional and time pressure the attacker applies is designed to push you toward a fast, poorly documented payment. The Kairos negotiation ran about a month and moved from a $3 million opening demand down to the $1 million final figure, an arc that only holds together when someone experienced manages the pace.

Consider what your payment actually buys. Kairos sent over a "proof of deletion" file, but as the case study notes, a list of file names shows only that the attacker once possessed the data, not that any copies were destroyed.

Paying to make stolen data disappear is an act of faith, and the receipt is written by the thief.

For a government agency, that faith carries a specific cost. You may pay to prevent disclosure and still face the same breach-notification obligations, since the theft already occurred. Union County notified 45,487 residents and staff regardless of the payment, so the money did not remove the legal duty to disclose or the reputational fallout that came with it.

Weigh these tensions before an incident forces a rushed answer:

  • Disclosure vs. payment: paying may delay a leak, but it does not erase your notification requirements or the possibility the files surface later anyway.
  • Sanctions risk: if funds trace to a sanctioned exchange or jurisdiction, your organization can face OFAC penalties independent of the extortion itself.
  • Evidence preservation: every message, timestamp, and wallet address is investigative material, so keep the full negotiation chat intact rather than deleting it.
  • Encouraging repeat targeting: a paid demand marks you as a payer, and the Kairos wallet was still moving money as recently as May 2026, well after the county paid.

The practical takeaway is that payment is a legal and compliance decision run through counsel, law enforcement, and Treasury guidance, not a quiet transaction you settle to make a problem go away. Union County paid ten times its first offer and still had to tell tens of thousands of people their data was taken.

Key Takeaways: Reducing Extortion Vulnerability in High-Value Targets

The most durable lesson from the Kairos case is that the value of your stolen data determines how much you can be charged. An attacker holding highly sensitive records has more leverage than one holding routine administrative files, which means the design of your data itself is part of your defense.

For government and finance organizations, extortion attempts should be treated as an expected event rather than a rare one. The shift away from encryption means the threat no longer depends on breaking your systems. It depends entirely on what an attacker can copy out and how sensitive that copy is.

That reframes the goal. Instead of only defending against the moment files get locked, you reduce what an attacker gains from taking them:

  • Data minimization: retaining only the records you need shrinks the pool an attacker can steal and threaten to publish.
  • Encryption at rest: stored data that an attacker cannot read carries far less extortion value than plaintext they can post.
  • Access controls and segmentation: isolating the most sensitive records means a single compromised credential does not expose everything at once.

Payment does not resolve the underlying problem. As the Kairos case showed, a "proof of deletion" file names what the attacker held, not what they wiped, and nothing prevents that data from being sold or re-used later. You are paying for a promise written by the person who took your files.

Sustainable defense rests on architecture and readiness: independent backups, network segmentation, fast detection of data movement, and a defined escalation path to law enforcement agreed before an incident. Those controls do not stop an attacker from trying, but they lower what a successful theft is worth and shorten the time it takes you to respond.

TPL_TABLE_CONTENT

Top hits