"You are wasting our time with such offers." That rebuke, written by the extortion group Kairos during negotiations, punctuated a month-long exchange that ended with an unnamed U.S. county wiring $1,000,000 to the criminals — even though the county never received independently verifiable proof that the attackers had deleted the data they claimed to have taken.
Negotiation timeline between Kairos and the county
According to a case study by threat-intel researcher Rakesh Krishnan published on Ransom-ISAC, the incident unfolded in May and June 2025. Kairos listed the government entity on its data-leak site and initially demanded $3,000,000. County officials reviewed a file list in late May and made a first counteroffer of $100,000 on June 4, 2025. Kairos rejected that offer with the quoted line above, then pushed the county with a two-day ultimatum.
The county returned on June 6 with an increased offer of $255,000. Kairos reduced its demand to $2,000,000. On June 9 the county proposed paying $430,000, and the parties that same day settled on a $1,000,000 payment. Kairos provided a Bitcoin payment address; Krishnan’s report includes payment-tracing evidence on the blockchain as part of the research artifacts.
Claims by Kairos: 2 TB, 1.6 million files, and a promised "proof of deletion"
Kairos told the county it had stolen more than 2 terabytes of data — described in the report as approximately 1.6 million files — and threatened publication unless the payment was made. The extortionists offered a sample review: "We will give you the full list of files we have and give you some time to study it," they wrote, adding that the victim could choose up to ten files for inspection.
In return for $1,000,000 the county asked Kairos for three deliverables: proof of deletion, a complete list of files taken, and an explanation of how the intruders gained access. Kairos claimed to have gained initial access by bruteforcing their way into the network, supplied a RAR archive they said provided "proof of deletion of all downloaded files," and promised "we will not share the downloaded data with third parties" and "we will not attack you again."
Krishnan cautions that the transcript "does not show a technical mechanism by which deletion could be independently verified," leaving the county dependent on the attackers' promise — a point that undercuts the practical value of the deliverables the county sought.
Federal guidance, legal constraints, and the blurred choices for local governments
The report notes there is no federal prohibition on ransom payments, but it also records the federal position: both the FBI and the U.S. Cybersecurity and Infrastructure Security Agency urge victims not to pay criminals. The FBI is quoted directly: "Paying a ransom doesn’t guarantee you or your organization will get any data back." The agency also warns that payments encourage further criminal targeting.
At the state level, the case study points out that North Carolina and Florida prohibit public agencies from making extortion payments, and other states have proposed similar laws. The Register's coverage includes commentary from an industry voice, Sezaneh Seymour of Coalition, who told the outlet that a blanket payment ban would not address "widespread digital insecurity" — but Krishnan's work focuses on the specifics of this negotiation rather than policy debate.
What this means for Union County, other counties, and local governments
- Union County, Ohio: The report highlights a possible link. One of the alleged stolen files bore the name "Media Release - Motorcycle Crash Claims the Life of Dublin Resident 9-10-2020.pdf," and the presence of a Dublin within the county boundary is noted. Union County disclosed a May 2025 incident last fall stating networks were accessed from May 6 through May 18, 2025 and that protected personal information — including Social Security numbers, driver’s license numbers, financial account information, dates of birth, fingerprint and medical information, payment card information, and passport numbers — had been acquired. Union County’s disclosure did not mention any $1,000,000 payment or name an attacker; The Register reached out to county officials and law enforcement for clarification, and the FBI declined to comment.
- Other U.S. counties and local governments: The case study illustrates a stark trade-off many small jurisdictions face — limited budgets versus potentially catastrophic data exposure. In this incident the county raised its offers incrementally from $100,000 to $430,000 before agreeing to $1,000,000, citing "a small county with very limited resources" in the negotiations.
Two details sharpen the practical risk: first, the attackers did not claim to have encrypted systems and did not offer a decryptor; there is no indication researchers have obtained any Kairos-linked ransomware sample or encryptor. Second, because independent verification of deletion was not demonstrated, the county remains exposed to the possibility the files could be resold or re‑published on dark web forums, and the same or another threat actor could make fresh extortion demands.
The episode — reconstructed from a leaked negotiation transcript, attacker-provided artifacts and screenshots, and blockchain evidence — ends on a clear, uncomfortable note: the county bought a contractual promise from criminals, not a verifiable cure. Whether that promise holds, and whether similar choices will repeat across underfunded local governments, remains an open and costly question.




