
Union County Ransomware: $1 Million Paid After 2TB Data Theft (May 2025)
Union County, Ohio: What Happened
In May 2025, Union County, Ohio, experienced a high-severity ransomware attack orchestrated by the Kairos cyber extortion group. The attackers executed a brute-force intrusion, resulting in unauthorized access to county systems and the exfiltration of over 2 terabytes of highly sensitive data. The breach exposed the personal and financial information of 45,487 individuals, including names, dates of birth, government ID numbers, Social Security numbers, and biometric data. To prevent the public disclosure of this data, Union County paid a ransom of $1 million in Bitcoin to the threat actors.
Attack Vector & Technical Detail
The initial compromise was achieved via a brute-force attack, consistent with MITRE ATT&CK tactics TA0006 (Credential Access), TA0033 (Initial Access), and TA0040 (Impact). The Kairos group exploited weak authentication controls, systematically guessing credentials to gain privileged access to internal systems. Once inside, the attackers moved laterally, aggregating sensitive files for exfiltration. While no specific CVEs or IOCs were reported in this incident, the attack demonstrates the effectiveness of brute-force techniques against poorly secured endpoints. The absence of multi-factor authentication and insufficient monitoring likely contributed to the attackers’ success.
Confirmed Impact
The breach resulted in the exposure of a wide array of sensitive data, including personal identifiers, financial account details, fingerprint records, medical information, and payment card data for nearly 45,500 individuals. The affected population primarily resides in Union County, Ohio, but the nature of the data could have broader implications if shared or sold. The incident exposes the county to significant reputational harm, potential class-action litigation, and regulatory scrutiny under state and federal privacy laws. The scale of the data theft and the subsequent ransom payment underscore the operational and legal risks facing public sector organizations.
What This Means for Your Organization
This incident highlights the persistent threat posed by ransomware groups leveraging brute-force attacks against public sector entities. Organizations should prioritize strengthening authentication mechanisms, including the mandatory use of multi-factor authentication and regular credential audits. Proactive monitoring for anomalous login attempts and the implementation of network segmentation can limit lateral movement post-compromise. The Union County case demonstrates that failure to address these basic security controls can result in significant financial loss and exposure of sensitive data.
Detection & Response
- Immediate: Conduct a comprehensive review of all privileged accounts and enforce password resets across critical systems.
- Hunt: Monitor for repeated failed login attempts and anomalous authentication patterns indicative of brute-force activity.
- Patch: N/A (no CVE identified in this incident).
Source: https://www.securityweek.com/county-government-reportedly-paid-1-million-to-cyber-extortion-group/
Start Your 14-Day Free Trial
Get curated cyber intelligence delivered to your inbox every morning at 6 AM. No credit card required.
Get Started Free

