Union County Ohio Pays $1 Million Ransom to Kairos Group

Union County Ohio Pays $1 Million Ransom to Kairos Group

Rupert Marais is a seasoned expert in the cybersecurity landscape, specifically focusing on the intricacies of endpoint security and long-term network management strategies. With public sector entities increasingly finding themselves in the crosshairs of extortionists, Rupert offers a unique perspective on the operational and psychological pressures faced by local governments during a major breach. This conversation delves into the mechanics of a significant 2025 data theft, the tactical shifts in ransomware negotiations, and the unsettling reality of dealing with actors who hold nearly two terabytes of sensitive citizen information. We explore the timeline of a three-week standoff that saw a multimillion-dollar demand reduced through calculated delays and the eventual payment of one million dollars in cryptocurrency.

How does an organization navigate the high-stakes pressure of a $3 million ransom demand to eventually reach a $1 million settlement?

The negotiation process is an grueling game of digital poker where the organization is often just buying time to align its leadership, legal, and financial teams. In this specific May 2025 incident, the victim initially offered a much lower sum of $100,000, which they eventually bumped to $430,000 as the pressure mounted from the Kairos group. The extortionists maintained a firm grip on the situation by setting hard deadlines and providing artifacts as proof of access to keep the tension high. Ultimately, after three weeks of intense back-and-forth, the organization agreed to a $1 million payment, which was finalized in Bitcoin on June 13. It is a cold, calculated transaction where the victim has to weigh the massive $3 million asking price against the catastrophic damage of their data being leaked to the public.

What does the method of entry and the massive scale of data exfiltrated in this case tell us about the vulnerability of local government systems?

The fact that the attackers gained access through a brute-force attack suggests that basic entry points were not sufficiently hardened against automated intrusion attempts. Once inside the environment, the sheer volume of data stolen is staggering, totaling over 2 terabytes or approximately 1.6 million individual files. This wasn’t just a surface-level breach; it was a comprehensive scrape of a file server that targeted a small county with very limited resources. When you see numbers like that, it highlights how a single point of failure can lead to the exposure of a massive repository of sensitive departmental and citizen information. The scale of this exfiltration demonstrates that even if a county is small, its digital footprint and the associated risks are incredibly large.

In a scenario where no files were encrypted but the threat was purely based on data exposure, what are the primary risks for the victims?

This incident was a pure extortion attack, meaning the Kairos group focused entirely on the theft of information rather than locking down systems with file-encrypting ransomware. For the 45,487 individuals notified about the breach, the risks are deeply personal and long-lasting because the stolen data included Social Security numbers, fingerprints, and passport details. Unlike a credit card that can be cancelled, biometric data and driver’s license numbers are permanent identifiers that, if leaked, can fuel identity theft for decades. The threat of public dissemination creates a different kind of panic for a government body compared to a simple system outage. They are not just fighting to get their computers back online; they are fighting to protect the most private details of their constituents’ lives from being dumped on the dark web.

Can we ever truly trust the ‘proof of deletion’ provided by these extortion groups after a ransom has been paid?

Trust is a dangerous word in these situations, as there is no independent mechanism to verify that an extortion group has actually purged the stolen data. While the Kairos group provided listings that appeared consistent with the file-server scrape they performed, the “proof” they offered was selective rather than comprehensive. It is entirely possible for an attacker to generate a proof-of-deletion artifact simply by erasing one copy of the data while keeping another stored elsewhere for future leverage. In this case, there was no way for the county to be 100% certain that the 2 terabytes of data were truly gone. You are essentially paying a million dollars for a promise from a criminal organization that has already proven its willingness to use brute force to steal from you.

What is your forecast for the future of cyber extortion targeting small-scale public infrastructure?

I expect we will see a significant shift where “pure extortion” becomes the preferred method over traditional ransomware because it is quieter and places a more psychological burden on the victim. Small counties with limited resources will remain primary targets because they often manage high-value data, like the medical and financial records of tens of thousands of people, without the budget for elite security monitoring. The success of this $1 million Bitcoin payout will likely embolden other groups to refine their brute-force techniques specifically for local government portals. We are moving into an era where the threat is no longer about losing access to your files for a few days, but about the permanent loss of privacy for an entire community. Governments will have to choose between massive investments in defense or continuing to pay these seven-figure ransoms every time a server is scraped.

Subscribe to our weekly news digest.

Join now and become a part of our fast-growing community.

Invalid Email Address
Thanks for Subscribing!
We'll be sending you our best soon!
Something went wrong, please try again later