Case study reveals US county paid $1 million to data-theft extortion group
A Ransom-ISAC case study, built from a leaked negotiation chat and the blockchain trail, reconstructs how a US government entity quietly paid about $1 million to an extortion group called Kairos to keep stolen files from being published. Notably, Kairos never encrypted anything: there was no locker and no decryption key, just theft and the threat to leak, with special pressure applied to a folder of prosecutors' records. The month-long negotiation fell from a $3 million demand to a $1 million payment. The case reflects a broader shift, with roughly half of recent extortion now skipping encryption entirely, since data theft alone provides enough leverage.
- Check
- Review whether you could detect the signs seen here: password-guessed logins, repeated failed logins, and large outbound transfers to burner file-sharing links, and confirm sensitive record stores are segmented and monitored.
- Affected
- Organizations holding sensitive records, especially smaller government bodies with limited resources; data-theft extortion needs no ransomware, only stolen files and the threat to publish, to force a large payment.
- Fix
- Enforce multi-factor authentication and alert on failed logins, segment and monitor sensitive record stores, watch for large outbound transfers, and treat any promise to delete stolen data as worthless.