KillSec ransomware attacks Brazilian healthcare institutions
Pierluigi Paganini
September 10, 2025
KillSec Ransomware has argued for cyberattacks from Medicsolution, a software solutions provider in the Brazilian healthcare industry.
The KillSec Ransomware Group is threatening to leak sensitive data unless negotiations begin quickly. According to the Threat Intelligence Report from the response, the root cause of the incident – data removal from unstable AWS S3 buckets. Considering research conducted by cybersecurity experts, the exposure window can be estimated to be “a few months.” Perhaps this is the first prominent supply chain incident affecting the Brazilian healthcare industry.
In particular, this is not the first time a ransomware group has targeted Brazil. Some time ago, actors leaked personal and business data from Brazilian government resources, including CNPJ/CPF identifiers, transaction amounts, bank information and other data. At the time, the group did not clarify the full scope of the violation or the source of its possible. KillSec ransomware was known for both confirmed cases and for fake or speculation.
Unfortunately, this time KillSec ransomware attacked Brazil vigorously. Stolen healthcare data includes sensitive test results reports, medical assessments, and other privacy-sensitive information. Responses identified several patients and contacted them. Given that many patients do not expect information to be made public online, cybercriminals force stolen data from healthcare providers to understand that this will cause significant damage not only to the victim organization but also to the end customers.
The total amount of stolen data is over 34 GB, including more than 94,818 files. Compromised data includes:
Medical Evaluation Medical Lab Results X-rays show records of body parts associated with minors, photographs of patients who have not been abused
In particular, the KillSec ransomware actor also targeted medical institutions in Colombia, Peru and the US a few days before Brazil. This timing indicates an increasing interest among cybercriminals in the healthcare sector.
Two days ago, the actor announced that he had successfully compromised several well-known medical institutions.
Archer Health (USA) Suiza Lab (Peru) Gotelemedicina (Colombia) Emedicoerp (Colombia)
A month ago, the actor leaked data from Doctocliq, a well-known healthcare software platform in Peru, serving more than 3,500 doctors in more than 20 countries. In the past, the group has targeted the Royal Saudi Arabia Air Force (RSAF) and released several new leaks from non-healthcare sectors, including a compromise between Nathan and Nathan (UAE) and a compromise between HR, HR, personnel, technology solutions providers, and AVA Senior Connect (USA), a communications platform designed for the senior living community.
Based on Resecurity's analysis, KillSec Ransomware found sweet spots targeted at healthcare organizations. Healthcare organizations store a vast amount of sensitive and valuable data, including personal identification, medical history, insurance details, and payment information.
The data breaches litigation and enforcement environment in the Brazilian healthcare sector are largely shaped by the Brazilian General Data Protection Act, Raygeral de Prote Sandé Dados (LGPD), which took full effect in 2020. The main regulatory authority on data protection enforcement is the auto-laid type nacional deproteçãoddados (anpd), which oversees LGPD compliance, investigates violations and imposes sanctions.
ANPD has fined 15 healthcare institutions a total of $12 million (~$2.4 million) for lack of encryption and violation response plans as a result of the 2024 Healthcare sector audit. Additional corrective actions included mandatory penetration testing and staff training. Since 2023, ANPD has fined 98 million (~20 million US$) across all sectors, with healthcare having a significant portion due to repeated vulnerabilities and sector-wide audits.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – Hacking, KillSec ransomware)
