Healthcare Industry Suffers Cyber-Attacks by KillSec Ransomware on IT Infrastructures

Cyber Criminals Strike Latin American Healthcare, Leveraging Weak Links in Supply Chain and Unsecured Applications and Cloud Storage, Causing Destructive Ransomware Attack

, and Administrator

2025 September 18 . 2:55 AM

2 min read

Cybercriminal Group KillSec Launches Ransomware Assault on IT Infrastructure of Healthcare Sector

Healthcare Industry Suffers Cyber-Attacks by KillSec Ransomware on IT Infrastructures

In a concerning development, the cybercriminal group 'KillNet' has been attributed to the recent surge of ransomware attacks on healthcare IT infrastructures across Latin America and beyond. The KillSec ransomware strain, as it is known, has emerged as a significant threat, causing disruption and potential data breaches in over a dozen healthcare entities within a week of its appearance.

The visible public leak of these files has prompted regulators to issue urgent breach notifications under Brazil's LGPD framework. The leak includes sensitive data such as unredacted patient images, laboratory results, and records related to minors, totaling more than 34 GB.

The attack begins with a malformed PDF, exploiting a zero-day in the processing engine, triggering the execution of a stealthy PowerShell one-liner. This PowerShell stub retrieves an encoded payload, decodes it in memory, and uses reflective DLL injection to load the AES encryption engine directly into memory.

Upon infection, the malware propagates through internal networks via legitimate administrative protocols, including Windows Remote Management (WinRM) and Remote Desktop Protocol (RDP). This method allows the ransomware to bypass traditional security measures, making it difficult to detect and prevent.

The KillSec operators have developed a multi-stage encryption process, following the compromise. Once the encryption is complete, they execute a loader that enumerates network shares and scheduled tasks, creating persistence via a disguised Windows service named [redacted]. This service is configured to run under the SYSTEM account, ensuring execution at every reboot.

There is a risk of secondary compromises for downstream clinics and labs using affected software if the compromised vendor's code remains unsigned and unverified. Resecurity researchers have identified the loader used by KillSec by its unique import hashing and unusual manipulation of the library.

Initial indicators of compromise were detected when several Brazilian healthcare providers reported unusual network traffic originating from cloud storage buckets. The group's data leak site is located on TOR, further complicating efforts to track and disrupt their activities.

The KillSec ransomware attack on healthcare infrastructure in Latin America and beyond is a stark reminder of the increasing vulnerability of digitalised healthcare systems. As healthcare environments undergo rapid digital transformation, common security oversights such as unpatched web applications or misconfigured cloud storage become potential entry points for malicious actors.

Traditional signature-based detection methods are largely ineffective against the KillSec ransomware due to the combined use of legitimate system APIs and self-developed cryptographic components by the group. This underscores the need for a proactive and adaptive approach to cybersecurity in the healthcare sector.

As the battle against cybercrime continues, it is crucial for organisations to remain vigilant, update their systems regularly, and implement robust security measures to protect their data and the privacy of their patients.