A newly surfaced negotiation transcript, and the blockchain trail sitting behind it, show a U.S. county paying about a million dollars to keep stolen files off the internet. The detail that should stop every defender is what did not happen. Nothing on the county's network was encrypted. No locker ran, no ransom note landed on a server, no files were renamed. The group behind it, Kairos, took roughly two terabytes and threatened to publish it. That one change, theft without encryption, quietly disables the alarm most organizations built their ransomware program around.
The account traces back to a forensic write-up that Rakesh Krishnan published through Ransom-ISAC, rebuilt from a leaked chat log and the on-chain money trail, and picked up this month by The Hacker News and Security Affairs. Both outlets point to Union County, Ohio as the target, while noting that neither the county nor the crew has said so on the record. The incident itself dates to 2025; what is new is the forensic paper trail, and it reads as a blueprint for where ransomware is heading.
The break-in needed no exploit
Kairos claimed it got in by brute-forcing a credential. No zero-day, no unpatched edge appliance, no clever chain. Someone guessed or sprayed a password that worked. From there the group collected 1,602,775 files totaling around two terabytes, exposing records on 45,487 residents and employees. The haul reportedly included prosecutor case files, passport scans, fingerprint data, banking information, and Social Security numbers.
Read that attack path as a defender and every stage is something you can see on infrastructure you already own. A brute-forced login is a burst of failures followed by a success from one source, often at an odd hour or a new location. Two terabytes leaving is an egress-volume spike. Pulling more than 1.6 million files is a file-access rate no normal workday produces. None of it required special tooling to catch. It required someone watching for it.
Encryption used to be the alarm
For a decade, ransomware announced itself. The encryptor was loud by design: files locked, extensions changed, a note demanding payment. That noise was terrible for the victim but useful for the defender, because it was a clear, if late, signal that something had gone very wrong. A lot of detection engineering grew up around catching the locker, or at least the mass file-rename that preceded it.
Kairos removed that signal on purpose. Reporting on the case puts the wider trend in context: barely half of ransomware incidents now bother to lock anything, a six-year low. When there is no encryptor, the timeline of detectable events inverts. The loud, late moment is gone. What remains are early and quiet moments: the anomalous login at the front, the bulk read and upload in the middle. A program tuned to spot the encryptor is watching the one part of the attack this crew skipped. We saw the same design choice in Prinz Eugen, which drops no ransom note specifically to defeat note-based and canary-file alerts.
Backups recover data. They do nothing about a leak.
The standard answer to ransomware for years has been tested, offline backups: if they lock your files, restore and refuse to pay. That advice is still correct, and it is now only half a defense. Restoring from backup does nothing about a copy of your data sitting on a criminal's server. There is no file to decrypt and nothing to roll back. The county could have had flawless backups and still faced the same choice, because the pressure was never about availability. It was about disclosure.
That reframes where the money should go. If your ransomware plan is entirely a recovery plan, it assumes the attacker's goal is to deny you your data. A data-theft crew's goal is to take a copy. The budget question shifts from "can I restore?" to "can I see two terabytes leaving before it is gone?" The same lesson ran through INC, which never needed a zero-day either, and through Scattered Spider, where the way in was a help desk, not a CVE. The entry keeps being mundane. The detection gap keeps being the same one.
The payment bought a receipt, not silence
The blockchain trail is the part paying customers should study hardest. Krishnan traced the 9.44 BTC as it split, 6.61 BTC to a wallet he labels the "Main Guy" and 2.83 BTC to a "Helper," and was on its way to crypto exchanges three hours and 34 minutes later. A decryptor you can test after paying at least gives you a functional guarantee. A promise to delete stolen files gives you nothing you can verify. You are trusting a group that took your data not to keep a copy, and the money you send funds the next intrusion. Kairos has now listed 88 victims since it appeared in November 2024. This is the same hard truth as the StealC takedown, where seizing the servers did not un-steal 27 million credentials. Once data is out, it is out.
None of this is an argument that the county did something uniquely wrong. A roughly 70,000-person county government owns exactly the kind of sensitive records attackers want and rarely has a team watching for a slow exfiltration at 2 a.m. That mismatch, real data without real monitoring, is the target profile. Kairos is not picking these victims by accident.
Alert on the login burst and the outbound gigabytes
Since the encryptor is optional now, build detection around the two stages this attack could not skip: getting in, and getting the data out.
- The authentication anomaly. Alert on a spray or brute-force pattern followed by a success, and on any successful login from a new country, an impossible-travel pair, or an odd hour for that account. Put multi-factor authentication on every internet-facing login, since a guessed password alone should not be enough.
- The egress spike. Baseline normal outbound volume per host and alert when it jumps. Two terabytes does not leave quietly if anyone has a threshold set. In ATT&CK terms this is Exfiltration Over Alternative Protocol, and it is far more visible than most teams assume.
- The file-access rate. A single account or host reading hundreds of thousands of files in hours is not a workday. File-access telemetry and honey-documents both surface it early, well before the leak-site countdown.
If the reporting holds, the uncomfortable lesson is that an attack built entirely on an anomalous login and a bulk data transfer is, in principle, detectable with telemetry most organizations already own; the public accounts do not detail what monitoring the county had in place. Encryption did the alerting for defenders for years, for free. That favor is ending. If your ransomware defense still assumes the moment of truth is a locked file, you are ready for the last war, not this one.