US government body paid $1M in data-theft extortion



TL;DR

A US government entity paid about $1m to the Kairos extortion group to keep stolen files private, according to a Ransom-ISAC case study based on a leaked negotiation chat and blockchain analysis. The clues point to Union County, Ohio, though neither party has confirmed it. The case illustrates how much of today’s “ransomware” involves no encryption at all.

A US government entity paid around $1m to stop stolen files from being published, according to a case study by researcher Rakesh Krishnan for Ransom-ISAC. The analysis draws on a leaked negotiation chat and the blockchain trail the payment left behind.

The group behind the deal calls itself Kairos, but it may not be a ransomware gang in any traditional sense. Krishnan reportedly found no encryptor, no locker, and no demand for a decryption key, just stolen files and a price for keeping them private.

The case study does not name the victim, but file names in the proof-of-theft samples, including an archive called union.rar, point to Union County, Ohio. Neither the county nor Kairos has confirmed the connection, and The Hacker News says it has contacted the county for comment.

The clues do line up with a real incident. In May 2025, Union County detected ransomware on its network and later notified 45,487 people that data including Social Security numbers, fingerprints, and passport details had been taken.

If the identification holds, a county of roughly 70,000 residents made a $1m payment it never publicly disclosed. The attacker reportedly leaned hardest on a folder marked “prosecutors office”, warning that a leak would help criminals evade charges.

Anatomy of a $1m deal

The negotiation ran for about a month, according to the case study. Kairos opened at $3m and claimed to hold more than 2TB of data across some 1.6 million files.

The county reportedly countered at $100,000 and inched up to $430,000, while Kairos dropped to $2m before fixing a final $1m deadline. The victim paid on 13 June 2025, ten times its opening offer.

The payment of roughly 9.44 bitcoin matched about $1m at that week’s market prices. Within hours it was reportedly split and routed through a chain of wallets towards deposits at Bybit, OKX, and BELQI, a Russian service that recalls earlier ransomware laundering through WEX and BTC-e.

Tracing of this kind gives investigators leads rather than identities. Criminal crews have spent years refining how they wash cryptocurrency through mules, mixers, and loosely regulated exchanges.

What the money bought is another question. Kairos handed over a “proof of deletion” file, but a list of file names only proves the attacker once held the data, and promises to delete stolen data have unravelled before.

Ransomware without the ransomware

Union County described the incident as ransomware, yet nothing in the Kairos case was ever encrypted. A growing share of what still carries that label now skips lockers entirely and uses the stolen data itself as the pressure point, a playbook that recent extortion-only breaches have aimed at the private sector too.

Sophos reported in 2025 that only around half of ransomware attacks involved encryption, down from 70% a year earlier and the lowest rate in six years. Silent Ransom Group, an offshoot of the Conti ecosystem, has spent years running encryption-free extortion against US law firms, drawing repeated FBI warnings.

The bargaining arc is familiar too. When Black Basta’s internal chats leaked in February 2025, one deal moved from a $1.5m demand to a $100,000 counter and a $1m payment, almost the same curve.

Kairos itself has gone quiet, with its leak site offline and its last known victim posted in June 2026, per the case study. A linked wallet was reportedly still moving funds in May, so a dark leak site should not be read as a retired crew.

Unglamorous lessons

For small government networks, the takeaways are deliberately dull. Kairos claimed it got in by guessing a password, so multi-factor authentication and alerts on repeated failed logins would have raised the cost of entry considerably.

Defenders should also watch outbound transfers and throwaway file-sharing links, such as the temp.sh addresses the attacker used, and keep legal and citizen records segmented from the wider network. Above all, a thief’s receipt for deleted data is worth exactly what it cost to type.



Source link

Leave a Reply

Subscribe to Our Newsletter

Get our latest articles delivered straight to your inbox. No spam, we promise.

Recent Reviews


Sixteen years ago, The Social Network turned the origin story of Facebook into one of the most acclaimed films of the century. Now, Aaron Sorkin is back, and this time he is writing and directing. Sony Pictures dropped the first full trailer for The Social Reckoning today, and it is exactly as intense as you would hope.

This is technically not a direct sequel but a companion piece, and it is focused on what happened after Facebook grew from a dorm room idea into a platform that reshaped the world, and not always for the better.

What is The Social Reckoning actually about?

The film centers on Frances Haugen, a young Facebook engineer who, in 2021, leaked a massive trove of internal company documents to the Wall Street Journal, exposing how the platform knowingly amplified harm to teenagers and allowed misinformation to spread on a global scale.

That reporting, known as The Facebook Files, blew the lid off how Facebook handled its internal research. The tagline “Every revolution begins with a reckoning” frames the entire film as something bigger than a corporate scandal story.

Mikey Madison, who won the Best Actress Oscar for Anora, plays Haugen. Jeremy Allen White plays WSJ reporter Jeff Horwitz, who helped Haugen bring those secrets to light. The supporting cast includes Wunmi Mosaku, Betty Gilpin, Billy Magnussen, and Bill Burr.

Jeremy Strong as Mark Zuckerberg is the casting decision of the year

Jesse Eisenberg, who played Zuckerberg in the original and earned an Oscar nomination for it, declined to return for The Social Reckoning. Sorkin went with Jeremy Strong, the Succession lead, who has been phenomenal at playing a complicated man on the edge. The trailer shows him absolutely nailing Zuckerberg’s flat delivery and unsettling stillness.

When Strong was asked whether he had spoken to Eisenberg about the role, his answer was blunt. It had nothing to do with what he was going to do. That confidence is all over the trailer. Strong plays Zuckerberg as a man who has fully grown into his own power, dead-eyed and precise, describing himself with a straight face as a “professional defendant” while being prepped for congressional testimony.

Strong says the script of this movie is one of the greatest he has ever read, saying it touches the third rail of everything happening in the world right now. The Social Reckoning opens in theaters on October 9, 2026.



Source link