A recent case published by Ransom-ISAC, an organization dedicated to researching ransomware attacks, shows that a local government agency in Ohio paid hackers a ransom of $1 million in exchange for the data not being released publicly. It is worth noting that in this case the hackers did not actually encrypt any data, but simply threatened to leak the stolen data, forcing a county government in Ohio to pay a high ransom.

This may not even be considered a ransomware attack:
Researcher Krishnan did not disclose the name of the victim organization in detail in the case study, but judging from the chat records, the victim should be a county in Ohio, USA (equivalent to a prefecture-level city in China). The hackers did not encrypt any of the victim's data, but the hackers said they succeeded in stealing about 2 terabytes of data, crucially confidential information from the county prosecutor's office that the hackers said could help criminals escape prosecution if leaked.
The hacker group that launched the attack was code-named Kairos. Initially, the hacker group asked the victim to pay a hush fee of US$3 million, and the victim directly lowered the price to US$100,000. Then the hackers used the usual methods: countdown, tight deadlines, and prioritizing the disclosure of the most sensitive files to threaten the victim. Finally, the victim paid the hacker 9.44 Bitcoins on June 13, 2025, which was approximately US$1 million based on the price at that time.
This threat, which occurred in June 2025, has not been made public until now. By comparing it with known public information, it can be basically confirmed that the victim is Union County, Ohio, which has a population of 70,000. The stolen data covers residents’ social security numbers, financial information, fingerprint information, passport numbers and other information. However, Union County has not admitted that it is a victim or paid a ransom.
The key question is how to prove that the hacker has deleted the data:
One million US dollars is considered a small scale in a ransomware attack and is not worthy of attention. What is noteworthy about this case is the principle of trust, that is, the victim believes the hacker's promise that the data will be completely deleted after receiving the ransom money. In fact, the hacker also produced a document called a deletion certificate. However, this certificate can only prove that the hacker once owned these files. It does not prove that the hacker has deleted all the original files, nor can it prove that the hacker did not copy these files to other places.
Data leakage may indeed cause serious consequences, but if the victim blindly pays the ransom without consulting a professional organization, it may be in vain. As long as the victim credulously believes the hacker's so-called deleted files, in fact, it is possible that these files are still saved by the hacker (and the probability is extremely high). At some point, the data may be resold by the hacker to downstream hackers, and the victim will not know that the data has been leaked until the data is everywhere.
The preference of research institutions is that victims should not pay any ransom to hackers, because there is no guarantee, but it is possible that the vast majority of smaller victimized companies or institutions will eventually choose to pay ransom in order to pursue superficial security. This is not only not good for their own data security, but will even continue to encourage hackers, especially ransomware hackers.