TL;DRA US government entity paid about $1m to the Kairos extortion group to keep stolen files private, according to a Ransom-ISAC case study based on a leaked negotiation chat and blockchain analysis. The clues point to Union County, Ohio, though neither party has confirmed it. The case illustrates how much of today’s “ransomware” involves no encryption at all.
A US government entity paid around $1m to stop stolen files from being published, according to a case study by researcher Rakesh Krishnan for Ransom-ISAC. The analysis draws on a leaked negotiation chat and the blockchain trail the payment left behind.
The group behind the deal calls itself Kairos, but it may not be a ransomware gang in any traditional sense. Krishnan reportedly found no encryptor, no locker, and no demand for a decryption key, just stolen files and a price for keeping them private.
The case study does not name the victim, but file names in the proof-of-theft samples, including an archive called union.rar, point to Union County, Ohio. Neither the county nor Kairos has confirmed the connection, and The Hacker News says it has contacted the county for comment.
The clues do line up with a real incident. In May 2025, Union County detected ransomware on its network and later notified 45,487 people that data including Social Security numbers, fingerprints, and passport details had been taken.






