
Send Email
Confidentiality Guaranteed
Confidentiality Guaranteed

Scam detection
A US government entity paid about $1m to the Kairos extortion team to protect stolen recordsdata non-public, in preserving with a Ransom-ISAC case glimpse in accordance with a leaked negotiation chat and blockchain evaluation. The clues display Union County, Ohio, even though neither get collectively has confirmed it. The case illustrates how necessary of this day’s “ransomware” entails no encryption at all.
A US government entity paid around $1m to cease stolen recordsdata from being printed, in preserving with a case glimpse by researcher Rakesh Krishnan for Ransom-ISAC. The evaluation draws on a leaked negotiation chat and the blockchain depart the rate left in the motivate of.
The team in the motivate of the deal calls itself Kairos, nonetheless it must also simply now now not be a ransomware gang in any ragged sense. Krishnan reportedly found no encryptor, no locker, and no build an mumble to for a decryption key, licensed stolen recordsdata and a cost for preserving them non-public.
The case glimpse does now now not name the victim, nonetheless file names in the proof-of-theft samples, including an archive called union.rar, display Union County, Ohio. Neither the county nor Kairos has confirmed the connection, and The Hacker News says it has contacted the county for commentary.
The clues pause line up with a right incident. In Might per chance well maybe 2025, Union County detected ransomware on its community and later notified forty five,487 participants that knowledge including Social Safety numbers, fingerprints, and passport puny print had been taken.
If the identification holds, a county of roughly 70,000 residents made a $1m fee it never publicly disclosed. The attacker reportedly leaned hardest on a folder marked “prosecutors place of business”, warning that a leak would reduction criminals evade payments.
The negotiation ran for approximately a month, in preserving with the case glimpse. Kairos opened at $3m and claimed to support extra than 2TB of recordsdata across some 1.6 million recordsdata.
The county reportedly countered at $100,000 and inched up to $430,000, while Kairos dropped to $2m sooner than fixing a final $1m closing date. The victim paid on 13 June 2025, ten times its opening provide.
The fee of roughly 9.44 bitcoin matched about $1m at that week’s market prices. Interior hours it became reportedly split and routed through a chain of wallets in direction of deposits at Bybit, OKX, and BELQI, a Russian carrier that remembers earlier ransomware laundering through WEX and BTC-e.
Tracing of this kind gives investigators leads instead of identities. Prison crews fill spent years refining how they wash cryptocurrency through mules, mixers, and loosely regulated exchanges.
What the money sold is yet every other quiz. Kairos handed over a “proof of deletion” file, nonetheless a list of file names most attention-grabbing proves the attacker as soon as held the knowledge, and promises to delete stolen knowledge fill unravelled sooner than.
Union County described the incident as ransomware, yet nothing in the Kairos case became ever encrypted. A growing fragment of what unexcited carries that label now skips lockers fully and makes mumble of the stolen knowledge itself because the stress point, a playbook that most up-to-date extortion-most attention-grabbing breaches fill geared toward the non-public sector too.
Sophos reported in 2025 that most attention-grabbing around half of ransomware assaults appealing encryption, down from 70% a 365 days earlier and the bottom rate in six years. Silent Ransom Group, an offshoot of the Conti ecosystem, has spent years working encryption-free extortion in opposition to US legislation companies, drawing repeated FBI warnings.
The bargaining arc is familiar too. When Shaded Basta’s inner chats leaked in February 2025, one deal moved from a $1.5m build an mumble to to a $100,000 counter and a $1m fee, nearly the identical curve.
Kairos itself has long past peaceful, with its leak space offline and its final known victim posted in June 2026, per the case glimpse. A linked wallet became reportedly unexcited shifting funds in Might per chance well maybe, so a sorrowful leak space must now now not be read as a retired crew.
For puny government networks, the takeaways are deliberately insensible. Kairos claimed it obtained in by guessing a password, so multi-part authentication and alerts on repeated failed logins would fill raised the worth of entry considerably.
Defenders must additionally watch outbound transfers and throwaway file-sharing links, such because the temp.sh addresses the attacker outdated, and protect licensed and citizen records segmented from the broader community. Above all, a thief’s receipt for deleted knowledge is worth exactly what it worth to kind.
