KillSec ransomware targeting healthcare IT systems

The KillSec ransomware strain has quickly emerged as a significant threat to healthcare IT infrastructures across Latin America and beyond. First identified in early September 2025, KillSec operators have exploited compromised software supply chain relationships to deploy their malicious payloads at scale. Initial signs of compromise were detected when several Brazilian healthcare providers reported unusual network traffic originating from cloud storage buckets. Uniquely, this group combines basic exfiltration methods, such as open AWS S3 buckets, with advanced encryption routines, maximising impact while minimising the complexity of initial intrusions. Resecurity analysts observed that KillSec’s entry points often involve unpatched web applications or misconfigured cloud storage, both prevalent in healthcare environments undergoing rapid digital transformation.

Once inside, the malware spreads through internal networks using legitimate administrative protocols, including Windows Remote Management (WinRM) and Remote Desktop Protocol (RDP). This lateral movement frequently goes undetected for days, allowing adversaries ample time to harvest sensitive medical records and personally identifiable information (PII). The group’s data leak site on TOR has showcased high-profile exfiltrations, demonstrating their willingness to publicly shame victims to coerce ransom payments. After a compromise, KillSec actors execute a multi-stage encryption process, employing a lightweight loader that invokes a custom-built AES-256 encryption routine. Resecurity researchers identified the loader by its unique import hashing and unusual manipulation of the Advapi32.dll library, indicating a deliberate evasion of antivirus heuristics. Their combined use of legitimate system APIs and self-developed cryptographic components renders traditional signature-based detection largely ineffective, underscoring the group’s increasing technical sophistication. Within a week of its emergence, KillSec has impacted over a dozen healthcare entities, exfiltrating more than 34 GB of data, including unredacted patient images, laboratory results, and records related to minors, before initiating ransomware demands. The public leak of these files has prompted regulators to issue urgent breach notifications under Brazil’s LGPD framework. Threat intelligence reports now caution that downstream clinics and labs using affected software could face secondary compromises if the compromised vendor’s code remains unsigned and unverified.

A critical aspect of KillSec’s success lies in its dual-pronged infection mechanism, which combines opportunistic cloud bucket access with a fallback downloader embedded in common document formats. Victims first encounter a deceptive PDF invoice file, masquerading as a billing statement from a known medical supplier.