Cyber Incident Victim: Union County, Ohio
Date:
May 2025
Location:
United States of America
Summary
Union County, Ohio reportedly paid a $1 million ransom to the Kairos cyber extortion group to stop the release of data taken in a brute‑force intrusion. The attackers claimed to have stolen over two terabytes of files and, after a three‑week negotiation that saw the county’s offer rise from $100,000 to $430,000, accepted the $1 million payment in cryptocurrency. Kairos pressured the victim with threats of public exposure while controlling deadlines and providing proof‑of‑access artifacts. Ransom‑ISAC noted the incident was a pure extortion attack without file‑encrypting ransomware and that the county’s responses reflected efforts to coordinate legal, leadership, financial and communications decisions. The breach exposed personal data of tens of thousands of individuals, including names, birth dates, identification numbers, Social Security numbers, financial and medical details, fingerprints and payment card information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 0 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In May 2025, Union County, Ohio experienced a brute-force intrusion that allowed threat actors to gain access to its network and exfiltrate over two terabytes of data, equivalent to approximately 1.6 million files. The attackers claimed possession of the stolen data and identified themselves as the Kairos cyber extortion group. The intrusion did not involve file-encrypting ransomware but was characterized as an extortion operation aimed at threatening public disclosure of the compromised information.

Following the intrusion, Kairos initiated negotiations demanding three million dollars in cryptocurrency. Over a three-week period, the county’s responses increased from an initial offer of one hundred thousand dollars to four hundred thirty thousand dollars before ultimately accepting a hard deadline set by the attackers and agreeing to pay one million dollars. The payment was made in Bitcoin on June 13, 2025, after the attackers maintained pressure through threats of public exposure and by retaining control of negotiation timelines and proof-of-access artifacts. Ransom-ISAC observed that the county’s conduct reflected an effort to buy time while coordinating legal, leadership, financial, and communications decisions.
In September 2025, Union County notified forty-five thousand four hundred eighty-seven individuals that their personal information had been compromised in the May 2025 incident. The notified data included names, dates of birth, driver’s license or state identification numbers, passport numbers, Social Security numbers, financial account details, fingerprint information, medical information, and payment card details. Ransom-ISAC noted that the attackers’ proof-of-deletion was selective rather than comprehensive, though the file listings they provided were consistent with an actual file-server scrape. The affected entity was described in the negotiation transcript as a small county with very limited resources, which aligns with the public identification of Union County, Ohio as the victim.
