Ransomware Without Encryption: A $1m Lesson From a US Government Hack

by Rebecca Sutton

A US local government body handed over roughly $1 million in bitcoin to stop a criminal group called Kairos publishing its data. No files were ever encrypted. No systems went down. This was ransomware without encryption, and the case study that pieced it together shows why that distinction matters more than most businesses assume.

The research comes from Rakesh Krishnan, writing for Ransom-ISAC. He rebuilt the incident from a leaked negotiation chat and the bitcoin trail the ransom left behind. The victim has not been named officially. Reporting since the case study appeared points to Union County, Ohio, a county of around 70,000 residents, though neither side has confirmed it.

A break-in with no locker

Kairos got into the network in early May 2025. The likely route was a brute-force attack on exposed credentials, not a software flaw. Over roughly two weeks it copied out an enormous amount of material. That haul ran to 1,602,775 files, about 2 terabytes in total. It included social security numbers, financial records, fingerprints and passport data belonging to 45,487 people.

What it did not do is deploy an encryptor. Krishnan’s report found no locker binary and no ransom note demanding a decryption key. Nothing would have stopped staff logging in the next morning. Kairos is, by design, a data-theft extortion operation. It steals files, lists the victim on a leak site, and threatens to publish everything unless it gets paid.

Weeks of haggling over a spreadsheet of stolen files

Once listed, the county pushed back hard. Kairos opened at $3 million. The county’s first counter was $100,000. It then rose to $255,000, then $430,000, as the Friday deadline crept closer. Kairos eventually settled for $1 million, paid on 13 June 2025 in 9.44 bitcoin.

The payment split almost immediately. About 6.6 bitcoin moved toward a Bybit deposit address within three days. The rest fragmented through several wallets. It landed at OKX and a Russian exchange called BELQI. That kind of rapid layering is standard practice for cashing out extortion proceeds while making the money harder to trace.

The “proof of deletion” nobody could verify

After payment, Kairos sent what it called proof the stolen data had been destroyed: a 238 MB text file listing filenames. That is not proof of anything. There was no cryptographic hash and no video. Nobody could independently confirm a single byte had actually been deleted rather than quietly archived. Paying does not buy certainty. It buys a promise from a criminal group.

A group with a track record

Kairos is not a one-off outfit that stumbled onto a big payday. It has run since November 2024 and has listed 88 victims across 14 countries since then, according to tracking by Ransomware.live. Most targets are small and mid-sized organisations in business services, healthcare and education. These sectors hold sensitive personal data but often lack large in-house security teams. The average gap between an attack starting and a victim finding out has run past 70 days in tracked cases. That fits the pattern here: about two weeks of quiet access before Kairos made contact.

Investigators did eventually get a result. In January 2026, infrastructure hunting linked a likely backend server for Kairos’s leak site to a hosting provider in Ukraine. That server later carried a seizure notice from Ukraine’s Security Service Cyber Department. Even so, wallets tied to the group kept moving funds afterward. Taking down one piece of infrastructure rarely shuts down the people behind it.

Why ransomware without encryption is spreading

Security teams have spent years hardening backups against encryption, because that used to be the main threat. This case argues the threat has shifted. Sophos found that only about half of 2025 ransomware attacks involved encryption at all, a six-year low. Groups have worked out that stealing data and threatening exposure is often just as profitable, and far less noisy to pull off. No locked screens means no urgent alert to the IT team. The theft can run for weeks before anyone notices.

That changes what defence has to look like. Solid backups protect an organisation from an encryptor. They do nothing when the attacker’s leverage is a folder of stolen HR records, because nothing needs restoring, only kept private. This is the practical cost of ransomware without encryption: your recovery plan can work perfectly and the extortion still succeeds. Organisations need to know what sensitive data they hold, cut down what they store unnecessarily, and lock down the credentials and remote access paths that let attackers in quietly in the first place.

What businesses should actually check

Three checks would have mattered here. First, multi-factor authentication on every login reachable from outside the network. Brute-forcing weak or default credentials remains one of the simplest ways in. Second, monitoring tuned to catch large or unusual outbound data transfers, not just encryption events. Slow exfiltration over two weeks should not pass unnoticed. Third, a clear map of where sensitive personal data actually lives. You cannot protect what you don’t know you’re holding.

Regular external network penetration testing should probe credential handling and remote access paths, not only patch levels. That is one of the few ways to catch this route before a criminal group does. It is also worth deciding, well before an incident, what your organisation would do if faced with the same choice: pay for a promise, or refuse and manage the fallout.

Paying, as this case shows, buys a text file and a hope. It does not buy the guarantee most victims think they are purchasing. Ransomware without encryption is quieter than the old kind, and that is exactly what makes it dangerous.

Subscribe to our newsletter

Honest updates, straight to your inbox. Unsubscribe any time.

You may also like