threat-wire

Ohio County Paid $1 Million to a Gang That Never Encrypted Anything

A small Ohio county government paid roughly $1 million in bitcoin to a group calling itself Kairos, even though the attackers never locked a single file. A new case study, built from a leaked negotiation chat and the bitcoin trail the payment left, shows how a month-long negotiation moved from a $3 million opening demand down to seven figures. The case is a reminder that "ransomware" increasingly means stolen data held hostage, not scrambled files.

By SecureBusinessHub Editorial, International cybersecurity desk — · 6 min read

A small county government in Ohio paid roughly $1 million in bitcoin to keep stolen files from being published, and the group that took the money never encrypted a single machine.

What happened

The case comes from a new study by researcher Rakesh Krishnan for Ransom-ISAC, built on a leaked negotiation chat and the blockchain trail the payment left. Krishnan doesn't name the victim outright, but the chat points to Union County, Ohio. In May 2025, Union County said it had detected ransomware on its network and later notified 45,487 residents and staff that their data had been taken, in a county of roughly 70,000 people. The stolen records ranged from Social Security and financial details to fingerprints and passport numbers. Neither the county nor the group calling itself Kairos has confirmed the connection.

The group's name suggests a typical ransomware gang, but Krishnan found no encryptor, no locker, and no demand for a decryption key. The approach was simpler: steal the files, then charge the victim not to publish them, with extra pressure aimed at a folder marked "prosecutors office."

How the negotiation played out

  • Kairos opened at $3 million, claiming to hold more than 2 terabytes of data across roughly 1.6 million files
  • The county's first counteroffer was $100,000, later raised to $255,000, then $430,000
  • Kairos dropped to $2 million, then set a final number: $1 million, pay by Friday, or the files go public
  • The county paid on June 13, 2025: about 9.44 bitcoin, ten times its opening offer
  • Investigators traced the payment through a chain of wallets toward deposit addresses tied to the exchanges Bybit, OKX, and a Russian service called BELQI

Kairos sent a "proof of deletion" file afterward, but a list of file names only shows the attacker once had the files, not that the originals were wiped. A dark leak site going quiet isn't the same as a dead crew, either: a wallet tied to the operation was still moving money as recently as May 2026.

What this means for your business

  • Check whether your incident response plan and cyber insurance policy cover pure data-theft extortion, not just the "files got encrypted" scenario most plans are written for
  • Turn on multi-factor authentication everywhere remote access is possible; Kairos claimed it got in by simply guessing a password
  • Set alerts for repeated failed logins and unusually large outbound data transfers
  • Watch for burner file-sharing links, the kind of temporary upload service Kairos used to move stolen files, reaching out from your network
  • Keep legal, HR, and customer records on a separate network segment from everything else, so one compromised account can't reach all of it at once

A shift the label hasn't caught up with

Sophos reported that only about half of ransomware attacks in 2025 still involved any encryption at all, the lowest rate in six years. Some crews have dropped encryption entirely: Silent Ransom Group, a Conti offshoot, has spent years running pure data-theft extortion against U.S. law and finance firms with no encryptor in sight. Everyone still calls it ransomware. Increasingly, the lock is optional and the pressure comes from the data itself.

A hacker's promise to delete your data is worth nothing once you've already paid.