KillSec Ransomware Targeting Patient Data and Hospital Networks

On September 8, 2025, the notorious KillSec ransomware group claimed responsibility for a sophisticated supply chain attack against MedicSolution+, a leading cloud-based practice management platform trusted by clinics across Brazil.

By compromising critical AWS S3 buckets containing over 34 GB of patient records and medical assets, the threat actors exfiltrated nearly 95,000 files ranging from unredacted X-rays and diagnostic images to lab results, medical assessments, and even photographs of minors.

The volume and sensitivity of the stolen data far exceed prior incidents attributed to KillSec, underscoring the heightened risk posed by targeting healthcare IT suppliers.

Misconfigured Cloud Storage Exposes Tens of Thousands of Patient Records

Resecurity’s incident response team traced the breach to publicly exposed AWS storage endpoints that lacked proper access controls and encryption-at-rest safeguards.

The attackers utilized an automated crawler to identify misconfigured buckets, then quietly harvested data over several weeks before deploying their ransomware payload.

No infiltration of MedicSolution+’s internal networks was necessary; the exploit relied solely on “low-hanging fruit” cloud misconfigurations.

Within 48 hours of the data dump, KillSec published a ransom note on its TOR leak site, demanding immediate negotiations or threatening wholesale publication of Brazil’s medical records.

The supply chain compromise amplifies the potential impact on downstream healthcare providers, as clinics using MedicSolution+ may now face a cascading series of breaches of patient confidentiality.

Resecurity identified references to Brazilian institutions such as Vita Exame, Clinica Especo Vida, Centro Diagnostico Toledo, Labclinic, and Laboratório Alvaro within the stolen archives.

Patients remain unaware of the incident, heightening the risk of identity fraud, extortion, and irreversible reputational damage to both providers and software vendors.

This attack follows a rapid succession of breaches earlier in September affecting Archer Health in the United States, Suiza Lab in Peru, and multiple Colombian telemedicine platforms.

A month prior, KillSec compromised Doctocliq, serving over 3,500 physicians, by a similar vector of exposed cloud buckets. The consistency of this technique signals a clear shift in adversary tactics toward exploitation of third-party IT infrastructure rather than direct network intrusions.

Healthcare organizations processing sensitive patient data must urgently audit cloud asset configurations and enforce strict least-privilege policies. Real-time asset discovery and attack surface management are critical to detect misconfigurations before adversaries can exploit them.

Under Brazil’s LGPD, data controllers have just three business days to notify the Autoridade Nacional de Proteção de Dados (ANPD) and affected individuals following a breach. Failure to comply can result in fines exceeding BRL 12 million, as seen in recent sector-wide audits.

By weaponizing cloud misconfigurations in high-value healthcare supply chains, KillSec has demonstrated a scalable, high-yield approach to ransomware extortion.

Unless software providers and their clients bolster cloud security hygiene, the group’s hack-and-leak operations are poised to inflict even greater damage on patient privacy and institutional trust.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post KillSec Ransomware Targeting Patient Data and Hospital Networks appeared first on Cyber Security News.