A government entity in the US reportedly paid a $1 million ransom to the Kairos cyber extortion group to prevent the public dissemination of information stolen in a May 2025 intrusion, Ransom-ISAC reports.
A leaked negotiation transcript shows that the extortion group demanded $3 million in cryptocurrency from the victim organization, but eventually settled for $1 million.
Kairos claimed to have stolen over 2 terabytes of data, or approximately 1.6 million files, after accessing the victim’s environment in a brute-force attack.
During the three-week negotiation, the victim increased its offer from $100,000 to $430,000, but eventually accepted a hard deadline and the $1 million ransom, which was paid in Bitcoin on June 13.
The attackers pressured the victim with public exposure, while maintaining control of deadlines and proof-of-access artifacts.
“The affected entity’s responses are consistent with an organization buying time while legal, leadership, financial, and communications decisions were coordinated,” Ransom-ISAC notes.
The anti-ransomware organization notes that the incident was an extortion attack and did not involve file-encrypting ransomware. The attackers’ proof-of-deletion appears selective, not comprehensive, but the listings they provided are consistent with a real file-server scrape.
According to Ransom-ISAC, the provided proof of deletion could have been generated by erasing a copy of the data, and no mechanism to independently verify the deletion was provided.
Ransom-ISAC did not name the affected organization, but the negotiation transcript identifies it as “a small county with very limited resources.”
The affected government body reportedly appears to be Union County, Ohio. In September, the county notified (PDF) 45,487 individuals that their personal information was stolen in a ransomware attack in May 2025.
The affected information included names, dates of birth, driver’s license/state ID numbers, passport numbers, Social Security numbers, financial account details, fingerprint information, medical information, and payment card details.
SecurityWeek has emailed Union County for a statement on the matter and will update this article if the county responds.
Related: Aflac Japan Data Breach Impacts 4.38 Million
Related: Nissan Employee Data Breached in Oracle PeopleSoft Hack
Related: Insurance Regulators Group NAIC Hit in Oracle PeopleSoft Hack
Related: More Klue Breach Victims Identified as Hackers Get Hacked

