U.S. Government Entity Paid $1 Million in Data-Theft Extortion, New Case Study Reveals

turtle news
0
U.S. Government Entity Paid $1 Million in Data-Theft Extortion, New Case Study Reveals

Image source: blogger.googleusercontent.com

The Payment and the Threat

A million-dollar ransom without encryption

A U.S. government entity paid approximately $1 million to prevent the public release of stolen files, according to a new case study by researcher Rakesh Krishnan for Ransom-ISAC. The analysis is based on a leaked negotiation chat and the blockchain trail left by the payment.

The group behind the extortion calls itself Kairos. However, Krishnan found no evidence that Kairos ever encrypted a single machine. There was no encryptor, no locker, and no demand for a decryption key. The threat was simpler: steal the files, then charge the victim not to publish them.

Although Krishnan does not name the victim, details in the chat point to Union County, Ohio. Proof-of-theft files include names such as Union.xlsx, 1 union co psi template.doc, and a final archive called union.rar. The victim describes itself as a small county with limited resources. The attacker highlighted a folder labeled "prosecutors office," warning that leaking it could help criminals avoid charges.

The clues align with a real incident. In May 2025, Union County, Ohio, reported detecting ransomware on its network. It later notified 45,487 residents and staff that their data had been taken, affecting most of the county's roughly 70,000 population. Stolen records included Social Security numbers, financial details, fingerprints, and passport numbers.

Neither Union County nor Kairos has confirmed the connection. However, if it holds, a county government paid about $1 million that it never publicly disclosed. The Hacker News has contacted the Union County Commissioners' Office for comment; this story will be updated with any response.

Negotiation and Payment Timeline

From $3 million demand to a $1 million final offer

The negotiation between Kairos and the victim lasted about a month. Kairos initially demanded $3 million, claiming it held more than 2 terabytes of data—some 1.6 million files. The victim started at $100,000, then increased to $255,000, and later to $430,000. Kairos dropped to $2 million before setting a hard final number: $1 million, to be paid by Friday, or the files would be made public.

The attackers used typical levers: a countdown timer, tight deadlines, and threats to release the most sensitive folders first. The victim paid on June 13, 2025, ten times its initial offer. The payment was roughly 9.44 bitcoin, worth about $1 million at the time.

Krishnan traced the funds from there. Within hours, the bitcoin was split in two and moved through a chain of wallets toward deposit addresses tied to the cryptocurrency exchanges Bybit, OKX, and a Russian service called BELQI. Such tracing provides investigators with leads, not names.

Kairos provided a "proof of deletion" file, but a list of file names only shows that the attacker once possessed the files—not that the originals were destroyed. Paying to make stolen data disappear is an act of faith, and the receipt is written by the thief.

The Shift to Data-Theft Extortion

Encryption is no longer a given in ransomware incidents

Union County called the incident "ransomware," the term everyone reaches for, but in the Kairos case, nothing was locked. This reflects a broader shift: much of what is still called ransomware now skips encryption and uses stolen data as the sole pressure point.

Sophos reported in 2025 that only about half of ransomware attacks still involve encryption—the lowest rate in six years. Some groups have dropped encryption entirely. Silent Ransom Group, a Conti offshoot, has for years run pure data-theft extortion against U.S. law and finance firms with no encryptor at all.

The Kairos negotiation pattern is also familiar. When Black Basta's internal chats leaked in February 2025, an analysis turned up a deal that ran from a $1.5 million demand to a $100,000 counter to a $1 million payment—almost the same arc. Those chats, and the Conti leaks before them in 2022, are how researchers reconstruct the way these bargains are struck.

Kairos itself has gone quiet. Its leak site is down, and its last known victim appeared in June 2026. However, a wallet tied to the operation was still moving money as recently as May 2026, a reminder that a dark leak site is not the same as a dead crew.

Lessons for Small Governments

Practical steps to reduce risk

For anyone running a small government network, the lessons are familiar but worth repeating. Kairos claimed it gained access by simply guessing a password. This underscores the need for multi-factor authentication.

Organizations should monitor for repeated failed logins, large outbound data transfers, and burner file-sharing links like the temp.sh addresses Kairos used to move files. Legal, HR, and citizen records should be walled off from the rest of the network.

Having a public statement plan ready before an incident occurs is crucial. And any promise to delete stolen data should be treated as worth exactly nothing.

As ransomware evolves into pure data-theft extortion, the risks for public entities remain high. The Union County case shows that even a small government with limited resources can face a seven-figure ransom demand—and that paying it offers no guarantee the data is truly gone.

Based on reporting from thehackernews.com

Post a Comment

0 Comments
Post a Comment (0)

#buttons=(Got it) #days=(180)

This site uses cookies and similar technologies for core functionality, analytics, measurement, and advertising. Google and third-party partners may use cookies to serve and measure ads. Read our Privacy Policy and Cookie Policy.
Got it
To Top