THREAT ACTOR

KillSec

7
THREAT LEVEL
EMERGENCE DATE
Oct 2023
CATEGORY
Ransomware-as-a-Service
AFFILIATIONS

Anonymous Hacktivist Origins (2021): Initial activities aligned with Anonymous conducting DDoS attacks and website defacements with pro-Russian, anti-Western messaging.

DEscription

Following Anonymous-aligned hacktivist activities beginning in 2021, the group launched structured ransomware operations in October 2023 and formalized its RaaS platform in June 2024. Distinguished by exploitation of cloud misconfigurations rather than zero-day vulnerabilities, the accessible RaaS model enables rapid victim accumulation across critical sectors.

The group reached over 250 documented compromises with zero law enforcement disruption. Barrier-free entry democratizes ransomware operations, turning cloud security oversights into a scalable business model.

CRITICALITY
Assesses the importance of the potential target, including their size/scale, data's value, and operational impact.
lethality
Evaluates the potential for damage from the attack, including the ability to disrupt operations, and cause financial loss, damage public brand image.
AGGRESSIVENESS
Assesses the psychological and tactical intensity of the group’s behavior, including targeted harassment, violent language, blackmail, and political motives.

Classifications & Affiliations

Type: Ransomware-as-a-Service (RaaS)

KillSec operates a structured RaaS platform launched in June 2024 with accessible pricing model positioning among the most affordable offerings. The Tor-accessible control panel provides real-time statistics, integrated chat functionality, and builder tools for customizing ransomware configurations. This user-friendly infrastructure lowers technical barriers, enabling less skilled actors to conduct operations. The $250 entry fee with 88% affiliate retention creates one of the most favorable commission structures in the RaaS ecosystem.

Affiliate recruitment through Telegram channels requires English/Russian language capabilities, with selective vetting for "trusted individuals" though specific criteria remain undisclosed. Evidence suggests fragmented operations with multiple actors under shared branding rather than monolithic structure.

Current Status: Active as of November 2025 with over 250 documented victims and expanding geographic presence in India, USA, and Latin America.

Threat Level:
7

Origins and Methodology

The group's approach centers on exploiting cloud storage misconfigurations rather than vulnerability chains. Automated crawlers identify publicly accessible AWS S3 buckets with disabled security settings and weak IAM policies, requiring zero network penetration.

The combination of low-barrier RaaS accessibility with strategic supply chain targeting sets operations apart from traditional ransomware operators. Recent healthcare campaigns demonstrate force multiplication where single vendor compromise cascades across multiple downstream facilities, turning trusted IT relationships into attack vectors. This tactical maturity emerged despite operational focus on configuration oversights rather than sophisticated exploits.

What is the Evolution of KillSec Ransomware?
0.1
Formation

Organizational origins trace to 2021 as Anonymous-aligned hacktivist group conducting DDoS attacks and website defacements. The October 2023 Telegram recruitment message seeking technical specialists marked transition from activism to ransomware enterprise.

Initial ransomware deployments used KillSecurity 2.0 and 3.0 variants with Tor-based leak sites. Early activity showed steady victim accumulation across India, Romania, and Bangladesh.

0.2
EVOLUTION

Initial months following emergence focused on establishing technical infrastructure and affiliate recruitment mechanisms. June 25, 2024 marked formalization with RaaS platform announcement featuring Tor control panel and structured commission model. Around mid-2024, technical capability expansion included VMware ESXi locker development through Python-based encryption scripts. CVE-2025-31161 CrushFTP exploitation integration showed vulnerability opportunism beyond primary cloud misconfiguration focus.

Current operations since September 2025 show tactical maturation toward supply chain targeting methodology, where healthcare IT vendor compromise enables cascading downstream impact. November 2024 infrastructure disruption required seamless transition to backup Telegram channels. Service diversification beyond ransomware includes penetration testing offerings, OSINT gathering, DDoS stresser development, and automated phone harassment capabilities.

0.3
Lineage/Connections

Direct lineage from 2021 Anonymous-aligned hacktivist activities with documented DDoS and defacement campaigns carrying pro-Russian ideological messaging. Transition from activism to ransomware enterprise occurred in late 2023 with formal RaaS launch in June 2024.

Eastern Europe-Russia attribution based on Moscow timezone activity hours, English/Russian language requirements, and CIS nation avoidance patterns. However, non-traditional targeting of Asia-Latin America rather than Western Europe diverges from typical Russian threat actor patterns. Evidence suggests multiple actors under shared branding with potential fragmented structure.

Which Unique Techniques Does KillSec Use?

Attack methodologies prioritize opportunistic exploitation of cloud security posture weaknesses over vulnerability chains. Primary infection vectors draw on automated discovery of misconfigured AWS S3 storage, supplemented by CVE-2025-31161 CrushFTP authentication bypass exploitation, VPN credential brute-forcing, and weaponized PDF phishing campaigns.

TECHNIQUE

DETAILS

Infection Vectors

Automated crawler identification of publicly accessible AWS S3 buckets with disabled security settings and weak IAM policies; CVE-2025-31161 CrushFTP authentication bypass via AWS4-HMAC authorization method; VPN credential brute-forcing and credential stuffing; RDP weak configuration exploitation; weaponized PDF social engineering

Target Selection

Geographic concentration in India (nearly 30%), USA (9%), Bangladesh (7%), Brazil, Peru, Colombia focusing on emerging market digitization; sector targeting prioritizes healthcare (over 20%), finance (18%), government (16%), technology, manufacturing; healthcare IT vendors and SaaS providers targeted for supply chain cascade impact; ransom demands €1,500-$100,000 suggest SME focus

Operational Complexity

Moderate-to-high technical capability through C++ encryption engine, multi-platform deployment, and in-memory execution, though focus on cloud misconfigurations suggests pragmatic attack selection; supply chain targeting methodology shows strategic maturation; quiet data harvesting over weeks before encryption deployment; progressive pressure including countdown timers, sample data releases, DDoS during negotiations

Key Features & Technical Details

Technical architecture centers on C++ implementation with AES-256 encryption across Windows and VMware ESXi environments.

FEATURE

DETAILS

Encryption Method

Hybrid AES-256 encryption using standard per-victim key pairs; C++ engine selected for speed.

VMware ESXi targeting with VM shutdown before encrypting virtual machine files.

No available decryptor with traditional signature-based detection largely ineffective

File Extension

Suspected .killsec extension appended to encrypted files (unverified)

Ransom Note

Suspected filenames README.txt or !KillSec_Instructions.txt (unverified).

Notes combine financial demands with hacktivist political messaging; time-limited discounts incentivize rapid payment

Double Extortion

Data exfiltration precedes encryption with 5GB-34GB+ volumes per incident; exfiltrated data includes PHI, financial records, government contracts, intellectual property, biometric data.

Tor-based leak site with "For Sale" section offering stolen datasets $5,000-$350,000.

Progressive pressure includes countdown timers, sample data releases, DDoS attacks, website defacement

Communication Channels

C2 infrastructure using Tor network with nginx servers; confirmed C2 IPs for command and control.

Telegram channels for affiliate coordination.

Session Messenger and Tox protocol for victim communications

Deployment Speed

Quiet data harvesting over weeks before encryption.

In-memory execution through reflective DLL injection bypassing disk-based detection; import hashing evades antivirus heuristics.

Rapid ESXi VM shutdown and encryption sequences

Payment Method

Exclusively Monero (XMR) cryptocurrency for privacy.

Ransom demands typically range €1,500-€10,000 with median approximately €10,000 ($10,880); documented €800,000+ in total demands.

Conservative estimates assuming 30% payment rates suggest $950K-$1.5M total revenue, while 60% rates project $1.9M-$3M+

Operational Model

RaaS platform launched in June 2024 with $250 entry fee and 12% operator commission/88% affiliate retention.

Tor control panel with real-time statistics, integrated chat, builder tools.

Service diversification includes penetration testing, OSINT gathering, DDoS stresser tool, automated phone harassment, credential stealer development

Activities

Activity tempo shows sustained growth since emergence, reaching over 250 documented compromises. Recent healthcare supply chain campaigns demonstrated coordinated targeting across Brazil, Peru, USA, and Colombia, where single vendor compromise cascaded across multiple downstream facilities. This force multiplication through trusted vendor relationships represents tactical maturation beyond opportunistic attacks.

Geographic targeting shows close to one-third concentration in India, USA (nearly 1 in 10), Bangladesh (7%), with expansion into Latin America during 2024-2025 supplementing established Asia-Pacific presence.

Which Industries Are Most Vulnerable to KillSec?

Sector distribution prioritizes healthcare systems (roughly one in five), financial services (18%), government entities (over 15%), technology firms, manufacturing enterprises, transportation infrastructure, and educational institutions.

HAL Most Recent Attacks

Modus Operandi

Attack chains prioritize cloud security weaknesses supplemented by vulnerability exploitation and credential compromise.

Details

CVE-2025-31161 exploitation targeting CrushFTP via authentication bypass (T1190); automated identification of misconfigured AWS S3 buckets; compromised VPN credentials (T1078); RDP brute-forcing (T1133); weaponized PDF social engineering (T1566).

Details

System and network reconnaissance identifying high-value targets and topology; automated cloud environment discovery through crawler scanning for publicly accessible storage; healthcare IT vendor and SaaS provider identification for supply chain compromise opportunities.

Details

MeshCentral agents observed in CVE-2025-31161 exploitation campaigns; Tor network infrastructure with nginx servers for anonymized C2 communications.

Details

Reflective DLL injection directly into lsass.exe enabling in-memory execution bypassing disk-based detection (T1055.001); import hashing employed to evade antivirus heuristics (T1027); manipulation of Advapi32.dll library for evasion (T1562.001).

Living-off-the-land techniques using legitimate system tools; KillSecurity variant evolution (2.0, 3.0) with refined evasion capabilities.

Details

Registry credential dumping via reg.exe commands for Security Account Manager extraction (T1003.002); LSASS memory access for credential harvesting; credential stuffing using compromised VPN and RDP credentials.

Details

Tor network infrastructure using nginx servers for anonymity with confirmed C2 IPs (T1071, T1090); post-exploitation infrastructure supporting MeshCentral agent communications.

Telegram channels for affiliate coordination with November 2024 seamless backup channel transition; Session Messenger and Tox protocol for victim communications.

Details

Supply chain compromise targeting healthcare IT vendors and SaaS providers to facilitate downstream propagation through trusted vendor relationships; exploitation of trusted vendor access credentials for cascading impact.

Details

Quiet data harvesting over weeks before encryption with 5GB-34GB+ exfiltration volumes per incident (T1560); data transfer to cloud storage platforms including GoFile (T1567); exfiltration through C2 channels (T1041). Targeted data types include PHI, financial records, government contracts, intellectual property, customer databases, biometric data.

Details

Disguised service creation running under SYSTEM account for boot persistence (T1543.003); scheduled task creation for automated execution (T1053.005); registry key modifications for persistence.

Details

System and data encryption causes disruption to critical infrastructure; healthcare supply chain cascade impact where single vendor compromise affects multiple downstream facilities; business interruption given no available decryptor. Data exposure through leak site publication creates reputational damage and regulatory compliance implications particularly for healthcare and financial services sectors.

Details

AES-256 hybrid encryption deployment with standard per-victim key pairs (T1486); VMware ESXi targeting with VM shutdown before encrypting virtual machine files; in-memory execution through reflective DLL injection bypassing traditional detection.

Details

Data exfiltration preceding encryption enables progressive pressure tactics including countdown timers (5-7 days typical), sample data releases, DDoS attacks (T1498), website defacement (T1491), direct victim notification. Tor-based leak site with "For Sale" section offering stolen datasets $5,000-$350,000; ransom notes combine financial demands with hacktivist political messaging; time-limited discounts incentivize rapid payment.

Details

Shadow copy deletion via vssadmin.exe and wmic.exe commands inhibiting system recovery (T1490); log file manipulation and cleanup activities; anti-forensics measures complicating incident response.

Indicators of Compromise (IOCs)

Detection capabilities severely constrained by absence of signature-based indicators, with no file hashes, YARA rules, or VirusTotal submissions publicly available.

INDICATOR

DETAILS

File Hashes

CRITICAL INTELLIGENCE GAP: No SHA-256, SHA-1, or MD5 hashes publicly available.

Traditional signature-based detection largely ineffective forcing organizations toward behavioral analytics

IP Addresses

82.147.84.98 (C2 server)
77.91.77.187 (C2 server)
93.123.39.65 (C2 server)
2.58.56.16 (CVE-2025-31161 exploitation infrastructure, shared across multiple threat actors)

Domains/URLs

kill432ltnkqvaqntbalnsgojqqs2wz4lhnamrqjg66tq6fuvcztilyd.onion (Tor-based leak site)
Backup Tor domain (address not disclosed)
GoFile platform connections (data exfiltration)
Tor network traffic patterns indicating C2 communications

File Paths

C:\Windows\System32\WinLevelService (disguised persistence service)
C:\Windows\Temp\ (common staging directory)
VMware ESXi paths: /vmfs/volumes/ (virtual machine file locations)

File Extensions

.killsec (suspected encrypted file extension, unverified)
.vmdk (targeted VMware disk files)
.vmem (targeted virtual machine memory files)
.vswp (targeted swap files)
.log (targeted log files)
.vmsn (targeted snapshot files)

Process Names

vssadmin.exe (shadow copy deletion)
wmic.exe (shadow copy deletion via WMI)
reg.exe (registry credential dumping)
lsass.exe (injection target for in-memory execution)
esxcli (ESXi VM shutdown commands)

Registry Keys

HKLM\SYSTEM\CurrentControlSet\Services\WinLevelService (persistence mechanism)
Scheduled task registry modifications for persistence

Behavioral Indicators

Sysmon Event 11: Mass file creation patterns indicating encryption activity
Sysmon Events 4698/4702: Scheduled task creation for persistence
Sysmon Events 12/13/14: Registry persistence modifications
Sysmon Event 10: LSASS memory access indicating credential dumping
Unusual egress to cloud storage platforms and Tor network
Quiet data harvesting over weeks with gradual data transfer increases before encryption deployment

Exploits and Vulnerabilities

EXPLOITS AND VULNERABILITIES

CVE

CVSS

DESCRIPTION

CrushFTP Authentication Bypass

CVE-2025-31161

9.8

Authentication bypass in AWS4-HMAC authorization method allowing unauthenticated attackers to gain admin-level access by sending usernames with trailing slashes.

Additional Attack Vectors:AWS S3 bucket misconfigurations with disabled security settings, weak IAM policies, and no encryption-at-rest safeguards represent primary attack vector requiring zero vulnerability exploitation. VPN credential brute-forcing, RDP weak configurations, credential stuffing, and weaponized PDF phishing campaigns supplement CVE-2025-31161 opportunism.