Full Report
Leaked negotiations spill the tea
Analysis Summary
# Incident Report: Extortion of US Local Government by Kairos Group
## Executive Summary
An unnamed US county (implied to be Union County, Ohio) fell victim to a massive data extortion attack by a cybercriminal group known as "Kairos." The attackers exfiltrated approximately 2 TB of sensitive data and successfully coerced the county into paying a $1 million ransom in Bitcoin. Despite the payment, the county received no technical verification that the stolen data was actually deleted, leaving a residual risk of future leaks or secondary extortion.
## Incident Details
- **Discovery Date:** May 2025
- **Incident Date:** May 6, 2025 – May 18, 2025
- **Affected Organization:** Unnamed US County (Strongly suspected to be Union County, Ohio)
- **Sector:** Government / Public Sector
- **Geography:** USA (Ohio)
## Timeline of Events
### Initial Access
- **Date/Time:** May 6, 2025
- **Vector:** Brute-force attack
- **Details:** The threat actors claimed to have gained entry by brute-forcing credentials to gain a foothold in the county network.
### Lateral Movement
- **Details:** The attackers maintained access for 12 days (May 6–18), during which they navigated the network to identify and aggregate sensitive files.
### Data Exfiltration/Impact
- **Details:** Approximately 2 TB of data (1.6 million files) was exfiltrated. Stolen information included SSNs, driver’s licenses, financial accounts, fingerprints, medical info, and passport numbers. No encryption (ransomware) was used; the attack was pure extortion.
### Detection & Response
- **Discovery:** Detection occurred around mid-to-late May 2025.
- **Response Actions:** The county engaged a ransomware negotiator and entered into a weeks-long negotiation process via a "name-and-shame" portal. A payment of $1 million was transferred on or about June 9, 2025.
## Attack Methodology
- **Initial Access:** Brute-force (Credential stuffing or password spraying).
- **Persistence:** Not explicitly detailed, but maintained access for 12 days.
- **Privilege Escalation:** Not disclosed.
- **Defense Evasion:** Not disclosed.
- **Credential Access:** Brute-forcing.
- **Discovery:** System and file enumeration to identify high-value PII/PHI.
- **Lateral Movement:** Not disclosed.
- **Collection:** Aggregated 1.6 million files totaling 2 TB.
- **Exfiltration:** Standard outbound data transfer to attacker-controlled infrastructure.
- **Impact:** Data Breach and Financial Extortion ($1M loss).
## Impact Assessment
- **Financial:** $1,000,000 ransom paid in Bitcoin; additional costs for forensics and notification.
- **Data Breach:** High volume (2 TB). Sensitive PII (SSNs, fingerprints, medical records) for residents and employees.
- **Operational:** Limited disruption to services as systems were not encrypted, but significant administrative burden for incident response.
- **Reputational:** High. Leaked negotiation transcripts revealed the county's initial claims of "limited resources" before paying a million-dollar sum.
## Indicators of Compromise
- **Network indicators:** [No specific IPs defanged in source, but attackers used a portal for negotiations]
- **File indicators:** `Media Release - Motorcycle Crash Claims the Life of Dublin Resident 9-10-2020.pdf` (used as proof of life).
- **Behavioral indicators:** Large outbound data transfers (2 TB) over a 12-day window; failed login spikes prior to May 6.
## Response Actions
- **Containment:** Closed the entry point used for brute-forcing.
- **Eradication:** Negotiations with Kairos to prevent data release.
- **Recovery:** Public disclosure of the breach in September 2025; credit monitoring services likely offered to affected individuals.
## Lessons Learned
- **The "Proof of Deletion" Fallacy:** Paying a ransom for data deletion is a "gentleman's agreement" with criminals. There is no technical way to verify the attacker hasn't kept copies.
- **Negotiation Leaks:** Communications between victims and attackers are often logged and can be leaked by the criminals or researchers, leading to public embarrassment.
- **Detection Gap:** The attackers were in the network for nearly two weeks without being detected, allowing for massive data exfiltration.
## Recommendations
- **Multi-Factor Authentication (MFA):** Mandatory implementation on all remote access points to prevent brute-force success.
- **Account Lockout Policies:** Implement strict lockout durations after repeated failed login attempts.
- **Data Loss Prevention (DLP):** Set alerts for unusually large outbound data transfers to cloud storage or unknown IPs.
- **Log Monitoring:** Centralized logging to detect password spraying and brute-force patterns in real-time.