Pure Data Theft Extortion Costs US Government Entity $1 Million Payout

A small US county paid a $1 million ransom in Bitcoin to prevent the leak of stolen data, marking a shift toward extortion attacks that skip encryption entirely.

CSBadmin
2 Min Read

The Negotiation and Payment

A US government entity paid approximately $1 million to a group known as Kairos to prevent the leak of stolen data. The payment, traced on the blockchain as 9.44 Bitcoin, concluded a month long negotiation that started with a $3 million demand. The victim entity, believed to be Union County, Ohio, based on file names like ‘union.rar’ and references to a ‘prosecutors office’, initially offered $100,000. After incremental increases to $255,000 and then $430,000, the county ultimately met Kairos’s final ultimatum of $1 million paid by a specific Friday deadline.

A New Extortion Model Without Encryption

Notably, the Kairos attack lacked the typical ransomware hallmark of encrypting files. Analysis by Rakesh Krishnan for Ransom-ISAC found no evidence of any locker or encryptor being deployed. Instead, the threat actors relied solely on data theft, threatening to publish sensitive files to extort payment. This approach aligns with a broader industry trend; Sophos reported in 2025 that only about half of ransomware incidents now involve any encryption, with some groups like Silent Ransom Group operating entirely without it. The research highlights the dangers of such data extortion schemes, emphasizing that paying does not guarantee data deletion, as the provided ‘proof of deletion’ only confirms the attacker once possessed the files.

Security Lessons for Small Networks

The case study reveals that Kairos likely gained initial access by guessing a simple password. This underscores the importance of basic cybersecurity measures, especially for resource constrained entities. Key recommendations for small governments and organizations include deploying multi factor authentication, monitoring for large outbound data transfers and unusual login attempts, and isolating sensitive records like HR and citizen data from the main network. The attacker also used temporary file sharing services to exfiltrate data, highlighting the need to monitor traffic to such platforms. Ultimately, any promise to delete stolen data should be treated with zero trust.

Source: The Hacker News

CSBadmin

The latest in cybersecurity news and updates.

Share This Article
Follow:
The latest in cybersecurity news and updates.