All incidents

US Agency Pays $1 Million Ransom to Kairos After 2TB Data Breach

campaignopenJul 4, 2026 — Jul 7, 2026
US Agency Pays $1 Million Ransom to Kairos After 2TB Data Breach

A U.S. government entity reportedly paid a $1 million ransom to the Kairos cyber extortion group after attackers stole over two terabytes of data in a May 2025 breach according to SecurityWeek.

The attackers did not deploy file‑encrypting ransomware; instead they threatened to publish the stolen information unless a payment was made as noted by SecurityOnline. Initial demands were set at $3 million in cryptocurrency, but after negotiation the amount was reduced to 9.44 Bitcoins, equivalent to roughly $1 million. The stolen data included sensitive records from the county prosecutor’s office and other personal information.

No CVEs are associated with this incident, highlighting that the breach relied on data theft rather than software vulnerabilities per the official notice. Union County, Ohio, is believed to be the affected organisation, later informing nearly 45 500 individuals about the compromise of their data. The case illustrates how extortion groups are shifting tactics to leverage data exposure.

Kairos has been observed in a growing trend of data‑theft extortion, where victims are pressured with the threat of public disclosure rather than system lockdown as reported by The Hacker News. Paying the ransom does not guarantee that the attackers delete the stolen material, and such payments may fund further criminal activity. This pattern poses a particular risk to smaller organisations with limited defensive resources.

Defenders should maintain offline, encrypted backups that are isolated from the production network to ensure data can be restored without yielding to extortion see SecurityWeek. Implementing strict least‑privilege access controls and monitoring for unusually large outbound transfers can help detect exfiltration attempts early. Network segmentation limits the lateral movement of attackers who gain initial footholds.

Organisations ought to review and test their incident response plans, ensuring they include clear procedures for engaging law enforcement and negotiating with threat actors as advised by SecurityOnline. Regular employee training on phishing and social engineering reduces the likelihood of initial compromise. Finally, conducting periodic penetration tests and red‑team exercises helps identify gaps before attackers can exploit them.

Intelligence briefing updated Jul 7, 2026

Kairos
Root sourcewww.unioncountyohio.gov
Timeline Coverage

Swipe to explore timeline