"Kairos set a hard final number: $1 million, pay by Friday, or the files go public." — Rakesh Krishnan, Ransom-ISAC case study
The negotiation: Kairos, the price, and the payment
A month-long negotiation reconstructed by Rakesh Krishnan for Ransom-ISAC shows a familiar arc: an opening demand of $3 million from a group calling itself Kairos, followed by back-and-forth offers that ended with a roughly $1 million payment on June 13, 2025. According to the leaked negotiation chat and the blockchain trail Krishnan mapped, Kairos initially claimed to be holding more than 2 terabytes of data — about 1.6 million files — and used countdowns, tight deadlines and staged threats to press the victim.
The negotiation timeline in the case study records the victim’s initial offer at $100,000, incremental increases to $255,000 and $430,000, and Kairos’ step-down from $3 million to $2 million before imposing the hard $1 million deadline. The payment was roughly 9.44 bitcoin, worth about $1 million at the time, and according to Krishnan the victim paid on June 13, 2025.
Blockchain traces: where the money went
Krishnan traced the bitcoin payment through a chain of wallets. Within hours the funds were split in two and pushed toward deposit addresses tied to the crypto exchanges Bybit and OKX and to a Russian service called BELQI. The analysis shows how blockchain tracing gives investigative leads — exchange-associated deposit addresses — but not the human identities behind them.
That tracing also shows the limits of paying: Kairos provided a “proof of deletion” file after the transfer, but the file list only demonstrated the attackers once possessed the items, not that originals had been wiped. The case study emphasizes that a receipt written by the thief is not the same as verifiable, forensic deletion.
The likely victim: clues pointing to Union County, Ohio
Krishnan does not name the victim, but the leaked proof-of-theft files carry labeled names—Union.xlsx, 1 union co psi template.doc and a final archive union.rar—that point to Union County, Ohio. The chat quotes the victim describing itself as a small county with limited resources and shows the attacker spotlighting a folder marked “prosecutors office,” warning that leaking it would help criminals dodge charges.
The clues match a public incident: in May 2025 Union County, Ohio said it had detected ransomware on its network and later notified 45,487 residents and staff that their data had been taken. That notification said stolen records included Social Security and financial details, fingerprints and passport numbers and affected most of a county with a population of roughly 70,000. Neither the county nor Kairos has confirmed the connection, and The Hacker News has contacted the Union County Commissioners’ Office for comment.
Technique: data-theft extortion, not traditional encryption
Krishnan’s case study highlights a substantive shift: Kairos appears never to have encrypted a single machine. There is no encryptor, no locker, no demand for a decryption key in the leaked materials. Instead the threat model was simple — steal files and charge the victim not to publish them. Union County described its incident as ransomware, a label frequently used, but the Kairos example shows how the term now covers operations that rely solely on pure data-theft extortion.
Sophos reported in 2025 that only about half of ransomware attacks still involve any encryption — the lowest rate in six years — and some groups have dropped encryption entirely. The case study places Kairos in that pattern; it also notes the use of burner file links like temp.sh addresses to move stolen files and that Kairos claimed entry by simply guessing a password.
What this means for small governments, security teams, and residents
- Small governments: The case underscores a harsh reality for resource-constrained local agencies — a quiet, undisclosed payment of about $1 million may have happened after an incident that was publicly called “ransomware.” Counties should assume any promise to delete stolen data is worth nothing and plan communications and legal responses before a crisis.
- Security teams and IT: The case study reinforces basic controls: enable multi-factor authentication (Kairos claimed a guessed password granted access), monitor for repeated failed logins and large outbound transfers, isolate legal and HR records, and watch for burner file-sharing links like temp.sh.
- Residents and affected people: The public notice from Union County in May 2025 — which listed Social Security numbers, financial details, fingerprints and passport numbers among stolen items — is a reminder that data-theft extortion can expose highly sensitive personal information even when systems are not encrypted.
The Kairos story, as Krishnan reconstructs it, is blunt: attackers can extract value without the theatrics of encryption, and blockchain trails can point investigators to exchanges but not to certainty. A dark leak site may go quiet — the Kairos leak site is down and its last known victim showed up in June 2026 — but funds and opportunity continue to move. For small governments and those whose information they hold, the transaction recorded in this case study is both a warning and a partial blueprint of a threat that no longer fits older definitions of “ransomware.”
Read the original Ransom-ISAC case study coverage at The Hacker News: https://thehackernews.com/2026/07/us-government-entity-paid-kairos-group.html




