CyberSecurity

Small Ohio County Reportedly Paid $1 Million Ransom to Kairos Cyber Extortion Group

Published

on

Inside the Negotiation: How a County Agreed to Pay $1 Million in Bitcoin

A local government entity in the United States — widely believed to be a small county in Ohio — reportedly paid a $1 million ransom to the cyber extortion group known as Kairos. The payment was made to prevent the public release of sensitive data stolen during a breach in May 2025, according to a report from Ransom-ISAC.

The incident did not involve file-encrypting ransomware. Instead, it was a pure extortion play: the attackers stole data and demanded payment to keep it quiet. A leaked negotiation transcript, obtained by Ransom-ISAC, reveals the back-and-forth between the victim and the criminals.

Kairos initially demanded $3 million in cryptocurrency. The victim countered with $100,000. Over three weeks, the offer crept up to $430,000. But the group held firm. Eventually, the county accepted a hard deadline and wired $1 million in Bitcoin on June 13.

“The affected entity’s responses are consistent with an organization buying time while legal, leadership, financial, and communications decisions were coordinated,” Ransom-ISAC noted.

Who Is the Victim? Union County, Ohio, Appears to Be the Target

Ransom-ISAC did not name the organization outright. But the negotiation transcript describes it as “a small county with very limited resources.” Public records point to Union County, Ohio. In September, the county filed a data breach notification with the state, warning 45,487 individuals that their personal information had been stolen in a May 2025 ransomware attack.

The stolen data is staggering in its scope. It includes names, dates of birth, driver’s license numbers, state ID numbers, passport numbers, Social Security numbers, financial account details, fingerprint data, medical information, and payment card details.

SecurityWeek has reached out to Union County for comment. At the time of writing, the county has not responded.

How the Attack Happened: Brute Force and 2 Terabytes of Data

Kairos claimed to have stolen over 2 terabytes of data — roughly 1.6 million files — after breaking into the county’s environment through a brute-force attack. That’s a simple but effective method: attackers try thousands of username and password combinations until they find one that works.

Once inside, the group scraped file servers systematically. The attackers did not deploy ransomware. They didn’t need to. The threat of exposure was enough to pressure the cash-strapped county into paying.

Ransom-ISAC noted that the attackers’ “proof of deletion” — a video supposedly showing them wiping the stolen data after payment — was not independently verifiable. The organization said the deletion could have been faked by erasing only a copy of the data. “No mechanism to independently verify the deletion was provided,” the report states.

Why This Case Matters for Local Governments

This incident is a stark reminder that ransomware attacks are evolving. Many local governments have limited cybersecurity budgets and small IT teams. They are prime targets for cybercriminals who know that a breached election database or a leaked police report can cause chaos.

The ransom payment of $1 million is a huge sum for a small county. It raises difficult questions: Should governments ever pay? The FBI and CISA strongly advise against it, arguing that payments fund further crime. But when the alternative is having citizens’ Social Security numbers and medical histories dumped online, the calculus changes.

Ransom-ISAC’s analysis suggests the county’s slow negotiation was a deliberate strategy. The organization bought time to consult with legal counsel, leadership, and financial advisors. In the end, they paid — but they didn’t pay the full $3 million.

What Happens After the Payment?

The data breach notification filed by Union County suggests that the stolen information is now considered compromised. Even if Kairos deleted the files, the data could have been copied multiple times. Victims should monitor their credit reports, financial accounts, and medical records for signs of identity theft.

For other local governments, the takeaway is clear: invest in multifactor authentication, regular security training, and robust backup systems. A brute-force attack should not be able to bring down an entire county’s data infrastructure.

As for Kairos, the group remains active. The $1 million payout will likely fund more attacks. The cycle continues.

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending

Exit mobile version