Executive Summary
A small Ohio county government, widely believed to be Union County, Ohio, reportedly paid a $1 million ransom in Bitcoin to the cyber extortion group Kairos in June 2026. The attackers gained access to the county’s network via a brute-force credential attack, exfiltrated over 2 terabytes of sensitive data—including Social Security numbers, financial records, fingerprints, and passport numbers—and threatened to publicly release the stolen information unless paid. No ransomware encryption was used; the extortion was based solely on the threat of data exposure. The negotiation lasted approximately one month, with the initial demand set at $3 million and ultimately settled at $1 million. The county notified affected individuals in September 2026. This incident highlights the growing trend of data-only extortion attacks targeting local government entities and underscores the critical need for robust credential security and network monitoring.
Technical Information
The incident began in May 2026 when the Kairos group successfully executed a brute-force credential attack against the county government’s network. Brute-force attacks involve systematically guessing passwords to gain unauthorized access, a technique mapped to MITRE ATT&CK technique T1110: Brute Force. Once inside, the attackers conducted file and directory discovery (MITRE ATT&CK T1083) to locate and aggregate sensitive data, focusing on folders such as the "prosecutors office." The attackers exfiltrated over 2 terabytes of data, comprising approximately 1.6 million files, including highly sensitive personal and financial information of about 45,487 individuals. This data included names, dates of birth, government ID numbers, Social Security numbers, financial account details, fingerprint and medical information, and payment card details.
The attackers used burner file-sharing services, specifically temp.sh, to transfer the stolen data out of the network (MITRE ATT&CK T1041: Exfiltration Over C2 Channel). The extortion phase followed, with Kairos demanding $3 million in cryptocurrency to prevent public disclosure of the data. After a 28-day negotiation, the county paid $1 million in Bitcoin (approximately 9.44 BTC at the time) on June 13, 2026. Blockchain analysis traced the funds through multiple wallets and exchanges, including Bybit, OKX, and BELQI, but did not yield attribution to specific individuals.
No ransomware or encryption malware was deployed during the attack. The extortion was purely based on the threat of releasing stolen data, a tactic mapped to MITRE ATT&CK T1657: Data Manipulation: Data Extortion. The attackers provided selective "proof of deletion" after payment, but there was no independent verification that the data was actually destroyed.
The Kairos group has been active since at least 2026, specializing in data theft and extortion without using ransomware encryption. Their operations mirror a broader trend in the threat landscape, where data-only extortion attacks are increasingly common, especially against local government entities with limited resources. The group’s leak site is currently offline, but related cryptocurrency wallets remained active as of May 2026.
Affected Versions & Timeline
The affected organization is a small Ohio county government, strongly indicated to be Union County, Ohio. The attack occurred in May 2026, with the ransom paid on June 13, 2026. The county publicly notified affected individuals in September 2026. The incident impacted approximately 45,487 residents and staff, exposing sensitive data including Social Security numbers, financial details, fingerprints, and passport numbers. The attack vector was a brute-force credential attack, and no specific software vulnerabilities or product versions were identified as exploited in this incident.
Threat Activity
The Kairos group’s activity in this incident exemplifies the shift from traditional ransomware attacks involving encryption to data-only extortion. The group gained initial access through brute-force attacks, exfiltrated large volumes of sensitive data, and leveraged the threat of public exposure to extort payment. The negotiation process followed a familiar pattern, with high initial demands, victim counteroffers, and eventual settlement at a lower amount. The attackers used burner file-sharing services for data exfiltration and cryptocurrency wallets for ransom payment, rapidly moving funds through multiple exchanges to obfuscate their trail.
The group’s focus on data theft rather than encryption aligns with broader industry trends. According to industry reporting, only about half of ransomware attacks in 2026 involved encryption, with many groups, including Kairos and Silent Ransom Group, shifting to pure data extortion. The Kairos group’s operations have targeted small government entities, exploiting limited resources and the high impact of sensitive data exposure.
Mitigation & Workarounds
Critical recommendations include enabling multi-factor authentication (MFA) on all remote access points and administrative accounts to prevent brute-force attacks. Organizations should monitor for repeated failed login attempts and large outbound data transfers, which may indicate credential attacks or data exfiltration in progress. Sensitive records, such as legal, HR, and citizen data, should be segregated from the main network to limit lateral movement and data aggregation by attackers. Incident response plans should include prepared public statement templates for breach notification. Organizations must treat any "proof of deletion" from attackers as untrustworthy, as there is no reliable way to verify that stolen data has been destroyed. Regular credential hygiene, including strong password policies and periodic audits, is essential to reduce the risk of brute-force compromise.
Indicators of Compromise
The following indicators are provided as point-in-time references and should be validated in your environment before enforcement. All indicators are directly sourced from public reporting and are defanged for safe publication.
Type | Indicator | Reported (date) | Source
|
Filename | union[.]xlsx | 2026-07-04 | https://thehackernews.com/2026/07/us-government-entity-paid-kairos-group.html |
Filename | template[.]doc | 2026-07-04 | https://thehackernews.com/2026/07/us-government-entity-paid-kairos-group.html |
Filename | union[.]rar | 2026-07-04 | https://thehackernews.com/2026/07/us-government-entity-paid-kairos-group.html |
No malware hashes, IP addresses, or domains were reported in the available sources.
References
The Hacker News, July 4, 2026: https://thehackernews.com/2026/07/us-government-entity-paid-kairos-group.html SCWorld/SC Media, July 6, 2026: https://www.scworld.com/brief/us-government-agency-pays-1-million-to-data-extortion-group-kairos OffSeq Threat Radar, July 7, 2026: https://radar.offseq.com/threat/county-government-reportedly-paid-1-million-to-cyb-6b8639ef5e71b4c8
About Rescana
Rescana provides a Third-Party Risk Management (TPRM) platform designed to help organizations identify, assess, and monitor cyber risks in their vendor and partner ecosystems. Our platform enables continuous monitoring for credential exposures, brute-force attack attempts, and data exfiltration risks, supporting proactive defense against data extortion and similar threats. For more information or to discuss this incident further, contact us at info@rescana.com.



