Back to Home

An unnamed US county – perhaps in Ohio – paid $1M extortion demand to cybercriminals

Leaked negotiations spill the tea

t
tech4you AI
July 10, 20265 min read
Share

A US county reportedly paid $1 million to Kairos, an extortion gang that claimed to have stolen more than 2 TB of data, but the county never received independently verifiable proof that the stolen files had been deleted - just the criminals' promise.

This means the county’s stolen files may turn up for sale on a dark web forum, and the same (or another) crime crew could again demand an extortion payment to not leak the data.

It’s also a reminder that, despite the feds urging victims not to pay cybercriminals, sometimes coughing up the ransom demand seems to be the lesser of evils.

The alleged incident played out in May and June 2025, according to a case study by threat-intel researcher Rakesh Krishnan on Ransom-ISAC, a global knowledge-sharing platform for defenders and incident responders. 

Krishnan based his report on a leaked transcript of the negotiations between the county and Kairos, along with attacker-provided artifacts and screenshots, and payment-tracing evidence on the blockchain.

It doesn’t name the ransomware negotiator, citing privacy concerns, nor does it identify the victim, describing it as a US government entity.

Communications between the attackers and the public agency, however, suggest it’s a US county, including this one following the attackers’ initial $3 million demand: 

“We have reviewed the situation with our leadership and financial teams. As a small county with very limited resources, we simply do not have the ability to meet the amount you have proposed. That said, we understand the seriousness of the matter and want to work toward a resolution. The most we have been able to identify at this time is $100,000. We respectfully ask that you consider this offer.”

Additionally, one of the allegedly stolen documents, "Media Release - Motorcycle Crash Claims the Life of Dublin Resident 9-10-2020.pdf," indicates that there’s a city of Dublin inside the county’s boundaries.

It’s worth noting that the city of Dublin, Ohio, spans four counties in that state: Union, Franklin, Delaware, and Madison. And last fall, Union County, Ohio disclosed a May 2025 “ransomware attack that involved unauthorized access to and acquisition of protected personal information held by the County.”

According to the cyber-incident notice, the intruders accessed Union County networks from May 6, 2025 through May 18, 2025 and stole data including people’s names, Social Security numbers, driver’s license/state identification card numbers, financial account information, dates of birth, fingerprint information, medical information, payment card information, and passport numbers.

The disclosure doesn’t say anything about paying a $1 million ransom, nor does it name the attacker.

The Register reached out to county officials and law enforcement and asked if Union County is the government entity described in the Ransom-ISAC report. We will update this story if we receive any response.

The FBI declined to comment.

We should also note that there’s no indication this was a ransomware attack, as the attackers didn’t claim to encrypt any data or provide a decryptor in exchange for payment. Plus, as Krishnan says, security researchers have not obtained, or linked to Kairos, any ransomware sample, encryptor, or locker binary.

What we do know, based on the transcript and Kairos’ data-leak site, is that the miscreants claimed to steal more than 2TB of data, totaling about 1.6 million files.

'You are wasting our time with such offers'

After listing the victim county on their name-and-shame blog, Kairos demanded $3 million. “We will give you the full list of files we have and give you some time to study it,” the crims told the victim. “You can choose up to 10 files from this list and we will send them to you. In order to prevent the publication of data you need to pay 3000000$.”

According to the transcript, county officials reviewed the files during the last week of May 2025, and made the first counteroffer of $100,000 on June 4, 2025.

Kairos responded: “You are wasting our time with such offers.We cant accept it.Your files will be a great advertisement on our site and we understand what terrible consequences will await you. You cant hide the data leak.You have two more days to make us a favorable offer.”

Two days later, the county increased its offer to $255,000. Kairos reduced its demand to $2 million, and on June 9, 2025, the county proposed paying $430,000.

“As a small county and limited resources, we are doing our best to navigate this within what is financially feasible for us,” the leaked negotiations say. “That said, we are committed to finding a resolution and have taken steps internally to increase our offer to $430,000. This reflects a sincere attempt to make progress despite our constraints. We ask that you consider this proposal as part of a continued effort to resolve the matter in a constructive and timely manner.”

That same day, both parties settled on $1 million, Kairos provided a Bitcoin payment wallet and the county requested a few deliverables in exchange for the payment: “Please confirm for $1,000,000 you will provide us with: proof of deletion, a complete list of all files taken, and tell us how you got in.”

Kairos claimed to have gained initial access by bruteforcing their way into the network, shared an RAR file that they claimed provided “proof of deletion of all downloaded files,” and a promise: “We also guarantee that we will not share the downloaded data with third parties, and we also guarantee that we will not attack you again.”

However, as Krishnan notes, “the transcript does not show a technical mechanism by which deletion could be independently verified, which remains a fundamental limitation in ransom-payment scenarios.”

To pay, or not to pay?

It’s also one of the reasons why both the FBI and US Cybersecurity and Infrastructure Agency urge victims not to pay criminals. 

“Paying a ransom doesn’t guarantee you or your organization will get any data back,” according to the FBI. “It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity.”

While there is no outright ransom-payment ban at the US federal government level, two states - North Carolina and Florida - explicitly prohibit public agencies from paying extortion demands, and others have proposed similar legislation.

The Register has discussed the topic of a ransomware-payment ban with many experts over the years, and while they mostly agree that the only way to eliminate attacks is to cut off the financial incentive for the criminals, they also typically say a total payment ban won’t work.

“Complex problems are rarely solved with binary solutions, and ransomware is no different,” Sezaneh Seymour, VP and head of regulatory risk and policy at Coalition, told us in an earlier interview. “A payment ban will backfire because it doesn't address the root cause of our national problem: widespread digital insecurity.” ®


Originally published on The Register

Related Articles