Full Report
A U.S. government entity paid about $1 million to keep stolen files from being leaked, according to a new case study by Rakesh Krishnan for Ransom-ISAC, built on a leaked negotiation chat and the blockchain trail the payment left. The odd part: the group that took the money calls itself Kairos, but it may not be a ransomware gang at all. Krishnan found no sign that it ever locked a single
Analysis Summary
# Incident Report: Kairos Data-Theft Extortion of U.S. Government Entity
## Executive Summary
A U.S. government entity (linked to Union County, Ohio) was targeted by a threat group known as Kairos in a pure data-extortion attack. Although the victim characterized it as "ransomware," no encryption occurred; instead, attackers exfiltrated approximately 2 TB of sensitive data and demanded payment to prevent its release. The victim ultimately paid approximately $1 million (9.44 BTC) in June 2025 following a month of negotiations.
## Incident Details
- **Discovery Date:** May 2025
- **Incident Date:** May 2025 – June 2025
- **Affected Organization:** Union County, Ohio (Inferred from leaked data/details)
- **Sector:** Government (Local/County)
- **Geography:** Ohio, USA
## Timeline of Events
### Initial Access
- **Date/Time:** May 2025
- **Vector:** Not explicitly detailed, but the group typically exploits lack of Multi-Factor Authentication (MFA).
- **Details:** The group gained access to the county network and began identifying high-value data.
### Lateral Movement
- **Details:** The attackers navigated the network to access sensitive departments, specifically targeting the "prosecutors office" and files containing PII of residents and staff.
### Data Exfiltration/Impact
- **Details:** Exfiltration of 2 terabytes of data (approx. 1.6 million files). Stolen data included Social Security numbers, financial details, fingerprints, and passport numbers belonging to 45,487 individuals.
### Detection & Response
- **Discovery:** The county detected "ransomware" activity on its network in May 2025.
- **Response Actions:** Entered into a month-long negotiation with Kairos; initially offered $100,000; eventually agreed to a $1 million payment on June 13, 2025.
## Attack Methodology
- **Initial Access:** Often involves compromised credentials (likely due to lack of MFA).
- **Persistence:** Not specified.
- **Privilege Escalation:** Targeted high-privilege administrative and legal folders.
- **Defense Evasion:** Used pure extortion (no encryption), which can bypass some traditional ransomware detection tools that look for file-system-wide encryption activity.
- **Credential Access:** Likely used to move laterally.
- **Discovery:** Scanned for sensitive folder names such as "prosecutors office" and archive files (union.rar).
- **Lateral Movement:** Infiltrated various county departments.
- **Collection:** Aggregated 2TB of PII and legal documents.
- **Exfiltration:** Exfiltrated data to attacker-controlled infrastructure before making demands.
- **Impact:** Financial loss ($1M) and massive PII breach; no operational downtime from locking, but high legal and reputational risk.
## Impact Assessment
- **Financial:** $1 million ransom paid in Bitcoin (9.44 BTC).
- **Data Breach:** Social Security numbers, fingerprints, and passport numbers for 45,487 people.
- **Operational:** Minimal disruption to system availability, but significant burden on legal and notification workflows.
- **Reputational:** Public disclosure of the breach led to notification of nearly 65% of the county's population.
## Indicators of Compromise
- **File indicators:** `Union.xlsx`, `union co psi template.doc`, `union.rar`
- **Behavioral indicators:** Large outbound data transfers (2TB) to unknown external IPs; negotiation conducted via leaked chat platforms.
- **Crypto Addresses:** Kairos-linked wallet received 9.44 BTC on June 13, 2025.
## Response Actions
- **Containment measures:** Forensic investigation initiated after detection in May 2025.
- **Eradication steps:** Not disclosed, but presumably involved credential resets and closing access gaps.
- **Recovery actions:** Notified 45,487 residents and staff; monitored blockchain for movement of funds.
## Lessons Learned
- **Encryption is no longer the primary threat:** Modern "ransomware" groups frequently skip encryption entirely to focus on data theft, making traditional "backup-only" recovery strategies insufficient.
- **Payment does not guarantee deletion:** The "proof of deletion" provided by Kairos was a list of filenames, which does not prove the attackers do not retain copies of the data.
- **Small Government Vulnerability:** High-value legal data (prosecutors' files) provides significant leverage for extortion even in small jurisdictions.
## Recommendations
- **Enforce MFA:** Implement Multi-Factor Authentication across all external-facing and internal administrative accounts.
- **Data Egress Monitoring:** Implement alerts for large-volume data transfers to unexpected destinations.
- **Least Privilege:** Segment sensitive departments (e.g., Prosecutor's Office) from the general county network.
- **Encryption at Rest:** Ensure sensitive PII is encrypted at rest to limit the utility of stolen files.