
Union County Ohio Disclosed No $1M Kairos Payment After Pure Data Theft
A U.S. county government paid $1 million in an unencrypted data-extortion case that received no public disclosure. The transaction reveals standardized negotiation patterns and widening gaps between official ransomware labeling and actual attacker tactics. Payment tracing and prior crew leaks indicate these economics will persist without policy changes on disclosure.
The payment followed a month-long negotiation captured in leaked chat logs traced by Ransom-ISAC researcher Rakesh Krishnan. Kairos demanded $3 million initially, settled at $1 million after the county's offers reached $430,000. On-chain records show the BTC split immediately toward Bybit, OKX and BELQI exchange addresses. No encryptor was deployed and no decryption key was ever offered, confirming a pure data-extortion model. The county publicly described the incident only as ransomware and notified 45,487 residents without mentioning the payment.
Sophos 2025 data shows encryption present in just over half of incidents, the lowest rate in six years. Silent Ransom Group and other Conti derivatives have run identical non-encrypting campaigns against U.S. legal and financial targets since 2022. Black Basta negotiation leaks from February 2025 exhibit the same demand arc from millions down to a final $1 million settlement, indicating standardized playbook economics rather than isolated behavior.
Local governments rarely disclose extortion payments because no federal breach-notification statute requires it once data is already exfiltrated. The absence of a decryption component removes any operational justification for secrecy, yet the payment still evaded public ledgers. Wallet activity linked to Kairos continued into May 2026 despite the leak site going offline, showing operational continuity independent of public infrastructure.
Procurement records for county cybersecurity retainers in Ohio show no line items for post-incident extortion response, suggesting future budgets will absorb similar costs as operational expenses rather than declared incidents.
Treasury FinCEN: Exchange KYC matches on the BELQI-linked addresses will surface within 90 days if volume exceeds 5 BTC.
Sources (3)
- [1]Ransom-ISAC Kairos Case Study(https://ransom-isac.org/reports/kairos-union-county)
- [2]Sophos State of Ransomware 2025(https://www.sophos.com/en-us/content/state-of-ransomware)
- [3]Black Basta Chat Leak Analysis(https://www.advanced-intel.com/blog/black-basta-leaks-2025)