Leaked talks suggest unnamed US county paid $1 million to extortion gang

A leaked transcript and supporting artifacts suggest that an unidentified US county paid $1 million to an extortion group after criminals claimed to have taken more than 2 TB of data. The episode, des...

A leaked transcript and supporting artifacts suggest that an unidentified US county paid $1 million to an extortion group after criminals claimed to have taken more than 2 TB of data. The episode, described in a threat-intelligence case study, raises familiar questions about whether ransom payments actually reduce risk or simply buy an unverified promise.

According to the report, the group behind the operation, calling itself Kairos, first demanded $3 million. Negotiations then played out over several weeks, with county officials saying they could not meet the initial figure and countering with offers that rose from $100,000 to $255,000 and later $430,000. The parties ultimately settled on $1 million in Bitcoin.

What the county asked for

The transcript suggests the public agency sought more than a verbal assurance in return for payment. It requested:

  • proof that the stolen data had been deleted
  • a full list of files taken
  • an explanation of how the attackers gained access

Kairos said it would provide a sample list of files and claimed it had entered the network by brute force. The group also shared what it described as evidence of deletion and promised not to sell the data or attack the victim again.

However, the researcher behind the analysis noted that there was no independent way to confirm deletion of the stolen material. That limitation is one reason law enforcement agencies repeatedly warn victims that ransom payments do not guarantee data recovery or prevent later leaks.

Possible victim still unclear

The report does not name the county directly, but one clue points to Ohio: a file among the alleged stolen material referenced Dublin, a city that spans several counties in the state. The findings also overlap in timing with a public disclosure from Union County, Ohio, which said it suffered a ransomware-related intrusion in May 2025 involving personal and sensitive data.

So far, officials have not confirmed whether Union County is the entity referenced in the leaked negotiation records. The FBI declined to comment, and the report cautions that the incident may not have involved traditional ransomware at all, since no decryptor or encryption tool was identified.

The case underscores the difficult choices public agencies face when sensitive data is exposed and the attackers set the terms.