We rarely get to watch a ransom negotiation from the inside. This time we can. A U.S. government entity paid roughly $1 million to the extortion group Kairos to keep stolen files from being published — and thanks to a leaked negotiation chat and the blockchain trail the payment left behind, the whole transaction is now documented. The case study, produced by researcher Rakesh Krishnan for Ransom-ISAC, is a rare, granular look at how modern data extortion actually works: the haggling, the deadline, the wallet.
And notice what’s missing from the story: encryption. Kairos didn’t lock a single file. This is pure data-theft extortion — steal the data, then charge the victim not to publish it — and it’s a preview of where the whole “ransomware” category is heading.
The Negotiation, Blow by Blow
According to the leaked chat, Kairos opened by claiming it held more than 1.6 million files and 2 TB of data exfiltrated from the victim before it ever made contact. From there the negotiation followed the grim choreography of a hostage call:
- Kairos dropped its demand to $2 million and held there briefly.
- Then it issued a hard deadline: $1 million by Friday, or the files go public.
- The victim — a U.S. government entity — paid.
The blockchain confirms the roughly $1 million payment landed. It’s a clean illustration of the leverage asymmetry in these cases: the attacker has already taken everything it needs, incurs almost no cost to wait, and can manufacture urgency at will. The victim faces a certain, dated public exposure against an uncertain, unenforceable promise of deletion.
Who Is the Victim?
Neither party has confirmed the identity, but the clues in the case point to Union County, Ohio. That attribution is unconfirmed — treat it as the researcher’s assessment from artifacts in the leaked material, not an admission. What’s notable regardless is the target class: a local or regional government body, exactly the kind of under-resourced public entity that has become the extortion economy’s bread and butter. Counties and municipalities hold enormous quantities of citizen data, run on thin IT budgets, and face acute public-trust pressure to make a breach disappear.
Why “Ransomware” Increasingly Means No Ransomware
The Kairos case crystallizes a shift we’ve been tracking all year. The mental model most people carry — files encrypted, systems down, a decryption key for sale — is becoming the exception rather than the rule. Kairos, like a growing share of the ecosystem, skips encryption entirely and relies solely on the threat of exposure.
The logic is sound from the criminal’s side. Encryption is noisy, triggers incident response and EDR, can be recovered from with good backups, and increasingly draws law-enforcement attention. Data-theft extortion is quieter: exfiltrate, then negotiate in the shadows. Good backups don’t help — the data is already gone. The only question is whether it becomes public.
We saw the same dynamic in this week’s Medtronic breach, where ShinyHunters stole 9 million records and Medtronic quietly vanished from the leak site — no encryption, just a payment that (apparently) bought silence. Kairos is the government-sector version of the identical business model.
The Uncomfortable Math of Paying
The victim here bought a promise. Extortion groups face no enforcement mechanism to actually delete stolen data, and paying:
- Confirms the victim as a payer, marking it for repeat targeting.
- Funds the operation that will hit the next county.
- Guarantees nothing — the data can still be sold, leaked later, or used to re-extort.
Yet for a government entity staring at the public release of 2 TB of citizen files, the calculus that produces a $1 million payment is painfully legible. Which is exactly why guidance from CISA and the FBI keeps pointing upstream: the winnable fight is preventing exfiltration, not negotiating after it. Once the data is gone, every option is bad.
There’s also a public-accountability wrinkle unique to government victims. A taxpayer-funded entity paid criminals $1 million — a decision that, unlike a private company’s, carries questions of public disclosure, use of public funds, and whether citizens whose data was stolen will ever be told. The blockchain recorded the payment; the public record may not.
Defensive Takeaways
- Instrument for exfiltration, not just encryption. Data-loss prevention, egress monitoring, and alerting on large outbound transfers catch the attack at the stage that actually matters now. By the time files are encrypted — if they ever are — the extortion leverage already exists.
- Segment and minimize. The 1.6-million-file, 2-TB claim only works because that much data was reachable from one foothold. Least-privilege access and data minimization shrink the blast radius.
- Decide your ransom posture before the deadline. Governments especially should have policy, legal counsel, and disclosure obligations settled in advance — not improvised under a Friday deadline.
- Assume the negotiation may leak. As this case shows, the chat logs and payment trails surface. Plan communications and disclosure accordingly.
The Bottom Line
A million dollars of public money moved on-chain to buy the silence of a group that never encrypted a file. The Kairos case is a clean window into the extortion economy’s present tense: quiet data theft, manufactured deadlines, and victims — increasingly public institutions — choosing to pay for a promise no one can enforce. The blockchain remembers even when the parties would rather it didn’t.

