A small US county government reportedly paid a $1 million ransom in Bitcoin to the Kairos cyber extortion group on June 13, 2025, according to analysis published by Ransom-ISAC. The payment was made to prevent the public release of data stolen during a May 2025 network intrusion. The affected organization appears to be Union County, Ohio, which in September notified 45,487 individuals that their personal information had been compromised.

Attack Vector and Stolen Data

Kairos gained access to the victim’s environment through a brute-force attack and claimed to have exfiltrated more than 2 terabytes of data, representing approximately 1.6 million files. Importantly, Ransom-ISAC notes this was a pure extortion incident and did not involve file-encrypting ransomware. The attackers focused entirely on data theft and the threat of public disclosure.

According to the county’s breach notification, the stolen information included names, dates of birth, driver’s license and state ID numbers, passport numbers, Social Security numbers, financial account details, fingerprint information, medical records, and payment card data.

Negotiation Transcript

A leaked negotiation transcript reviewed by Ransom-ISAC shows Kairos initially demanded $3 million in cryptocurrency. Over a three-week period, the victim progressively raised its offer from $100,000 to $430,000 before ultimately accepting a hard deadline and agreeing to pay $1 million in Bitcoin. Ransom-ISAC observed that the victim’s negotiating behavior was consistent with an organization coordinating legal, leadership, financial, and communications decisions in parallel while attempting to buy time.

The attackers maintained pressure through threats of public exposure and demonstrated control via proof-of-access artifacts throughout the negotiation.

Verification and Proof-of-Deletion Concerns

Ransom-ISAC raised significant concerns about the reliability of the proof-of-deletion provided by Kairos. The organization noted the proof appeared selective rather than comprehensive, and could have been generated by deleting a copy of the data rather than the original. No independent mechanism to verify actual deletion was provided, leaving the county with no assurance that the stolen files would not resurface.

Broader Implications

The incident highlights several persistent risks for resource-constrained local governments. Brute-force attacks remain an effective initial access method when password controls are weak, and pure extortion operations, which skip encryption entirely, can move faster and leave victims with fewer recovery options. The lack of a verifiable deletion mechanism underscores the well-documented risk that paying a ransom does not guarantee data protection.

Ransom-ISAC did not formally name the affected organization in its report. SecurityWeek reported it had contacted Union County for comment.