Security & Compliance Automation Platform
UnderDefense MAXI is the solution to day-to-day cybersecurity problems of IT leaders and teams. It builds your 24/7 business protection together with you on the driver’s seat.
UnderDefense MAXI Platform
UnderDefense Secures Top Honor at the 2025 Global Infosec Awards
We’re proud of being a winner at the 2025 Global Infosec Awards…
10-Point AWS Security Checklist for Executives
Quickly assess your cloud security posture with this executive-ready checklist covering IAM, monitoring, and compliance essentials.
Anti-Phishing Playbook
Your free PDF guide to spotting and stopping phishing attacks before they reach your team or data.
24/7 Threat Detection & MAXImum Responsiveness
Our human-led MDR service combines expert insight and automation and AI for fast, precise threat response. Get full context in 2 minutes and cut MTTC to 15, staying ahead of ransomware and other attacks.
Calculate your MDR price
Pay only for the services you actually need, with no hidden costs.
10-Point AWS Security Checklist for Executives
Quickly assess your cloud security posture with this executive-ready checklist covering IAM, monitoring, and compliance essentials.
Anti-Phishing Playbook
Your free PDF guide to spotting and stopping phishing attacks before they reach your team or data.
Spot threats faster and respond smarter than tools alone
24/7 MDR and SOC services led by award-winning security experts. We act as an extension to your team or as a fully remote team, providing detailed threat insights and actionable responses to secure your environment immediately.
UnderDefense is an AWS Partner
We’re excited to announce that UnderDefense is now an AWS partner and available on AWS Marketplace…
Managed SOC at Your Service
Augment your SOC with 24/7 monitoring, threat detection, and expert response—without the overhead. Integrated with your existing tools, our SOCaaS stops attacks before they cause harm.
Managed SIEM Pricing Guide
Download a clear, practical overview of Managed SIEM pricing, featuring detailed breakdowns by service type, pricing model, real-world pros and cons, and key cost factors.
Managed SOC at Your Service
Augment your SOC with 24/7 monitoring, threat detection, and expert response—without the overhead. Integrated with your existing tools, our SOCaaS stops attacks before they cause harm.
Managed SIEM Pricing Guide
Download a clear, practical overview of Managed SIEM pricing, featuring detailed breakdowns by service type, pricing model, real-world pros and cons, and key cost factors.
Kill Security ransomware recovery team on standby
Kill Security (KillSec) transitioned from hacktivist roots to a full RaaS operation in 2023, with healthcare organisations accounting for the majority of its confirmed victims and stolen data leaked directly via Telegram. Isolate affected systems immediately and contact UnderDefense — do not attempt negotiation or containment alone.
Average Mttc
Ransom-Free recovery rate
Avoided in ransom
Global availability
Systems restored
IR experts
Ransomware cases resolved
IR experience
Do NOT attempt any self-remediation, as it can trigger further encryption and destroy recovery points. Instead, follow these steps:
Contact us now for urgent ransomware response assistance, 24/7
Get Help Now
Accomplishments and recognitions, demonstrating our commitment to excellence and innovation.
Momentum Leader in MDR
Best Support in MDR & IR
Managed Detection and Response (MDR)
Top Cybersecurity Company 2025
Best Managed Detection and Response Service
#4 of 184 teams Splunk Boss of the SOC
Best Of Cybersecurity Awards for Q1 2025
AWS Partner
Splunk Manage Premier Partner
Like a crime scene, a ransomware attack must be preserved — tampering with encrypted files, attempting self-recovery, or engaging with attackers can destroy critical evidence and reduce your chances of recovery.
Taking the right steps in the first moments after a Kill Security attack can make a huge difference and help you make a full recovery. Request 24/7 Kill Security ransomware recovery services to decrypt your data and maximize your chances of restoring operations.
Watch for Kill Security’s indicators of compromise: .killsec file extensions or similar (.kill), ransom notes (KillSec_Note.txt, RESTORE_YOUR_DATA.txt), leaked Telegram messages and dark web announcements about victims, disabled antivirus/EDR software, evidence of credential dumping and lateral movement, suspicious administrative account creation, and data exfiltration to attacker-controlled infrastructure. The group conducts thorough reconnaissance before encryption.
Kill Security operates as a selective RaaS group, recruiting experienced affiliates to conduct high-impact attacks on critical infrastructure (healthcare, government) rather than high-volume low-value campaigns.
Uses standard symmetric encryption for speed paired with public-key encryption, enabling rapid encryption of large healthcare datasets and government records.
Exfiltrates highly sensitive personal medical records, government employee data, and financial information, using data-breach threats alongside encryption pressure.
Conducts targeted supply chain compromises against healthcare software providers, managed service providers, and medical device vendors to access multiple healthcare organizations simultaneously.
Publishes victim lists and data samples on Telegram channels and dark web leak sites, using public notifications to maximize pressure and regulatory impact.
No public decryptor exists for Kill Security. The hybrid encryption scheme with private keys held by operators makes decryption impossible without ransom payment or law enforcement recovery.
Indicators are identified through Telegram channel monitoring, dark web leak site analysis, ransom note patterns, and forensic analysis of lateral movement and credential dumping.
File extensions
.killsec (primary), .kill, or occasional variants (.KillSec, .KILLSEC)
Ransom note filenames
KillSec_Note.txt, RESTORE_YOUR_DATA.txt, RESTORE_YOUR_FILES.txt (varies by variant), placed in user directories and network shares
Kill Security hashes
SHA256 hashes vary across samples; Kill Security binaries are compiled with different parameters per affiliate deployment. Representative samples have been analyzed by Resecurity, SocRadar, and Halcyon threat intelligence teams. No single hash signature represents all variants.
Kill Security tools
– Initial access: Phishing, exploitation of unpatched vulnerabilities, supply chain compromise via MSP/SaaS providers
– Credential dumping: Mimikatz, procdump, lsass.exe memory extraction, LSASS dump from Volume Shadow Copy
– Lateral movement: PsExec, WinRM, RDP with stolen credentials, Kerberoasting, pass-the-hash attacks
– Data exfiltration: FileZilla, Rclone to cloud storage, custom exfiltration scripts, FTP
– Persistence: Scheduled tasks, registry run keys, WMI event subscriptions, backdoor service installation
– Encryption: Kill Security ransomware binary deploying AES-256 + RSA-2048
– Announcement: Telegram channels, dark web leak sites for victim notification and pressure
Most common red flag
Execution of lsass.exe dumping commands (procdump or rundll32 with comsvcs.dll) followed by unusual cloud storage uploads or FTP connections, followed by Telegram notification of victim data and ransom demands.
Attack vector | % of Kill Security incidents | Notes |
Supply chain compromise (MSP, SaaS, healthcare vendor) | 45% | Compromised third-party provider with access to multiple healthcare orgs |
Exploited unpatched vulnerabilities (Exchange, RDP) | 30% | Internet-exposed systems without current security patches |
Phishing emails with malicious attachments | 15% | Macro-enabled Office documents or executable attachments |
Compromised credentials from data breaches | 10% | Administrative accounts exposed in previous breaches or dark web leaks |
Kill Security victims experience 2–6 week campaigns from initial access to ransom demand. Healthcare organizations report largest victim numbers (36 documented), with government entities as secondary target (15+ documented). Organizations with poor network segmentation report encryption spreading to all accessible systems within 24–72 hours. Ransom demands typically range from $100,000–$2,000,000+ depending on organization size and data sensitivity. Healthcare victims report average ransom demands of $300,000–$800,000. One documented Brazilian healthcare provider paid $400,000 to prevent data publication. Organizations refusing ransom demands experience data publication within 1–3 weeks on Telegram and dark web leak sites.
1. Immediately isolate all infected systems from the network to prevent lateral movement and further encryption.
2. Identify and disconnect all attacker-controlled accounts and sessions through forensic analysis of authentication and event logs.
3. Perform forensic acquisition of affected systems before any remediation to preserve evidence.
4. Boot infected systems into safe mode and scan with updated antivirus/EDR tools to locate and remove the Kill Security binary.
5. Remove any secondary persistence mechanisms (scheduled tasks, registry run keys, WMI event subscriptions, rogue services).
6. Force password resets for all potentially compromised accounts using a clean, air-gapped machine.
7. Conduct full Active Directory cleanup including removal of suspicious accounts and security group memberships.
8. Rebuild critical systems from clean images rather than attempting in-place malware removal.
1. Restore encrypted files from clean backups created before the attack window (test in isolated environment first).
2. Decrypt files using the Kill Security decryption key (if obtained via ransom payment or law enforcement recovery).
3. Validate all restored files through integrity checks and application-level testing (particularly critical for healthcare systems).
4. Implement network segmentation isolating clinical systems, financial systems, and government networks from general corporate networks.
5. Deploy EDR solutions on all systems with behavioral detection for credential dumping and lateral movement.
6. Implement continuous incremental backups with immutable, off-site storage.
7. Enforce multi-factor authentication on all administrative and critical accounts.
8. Conduct full incident response investigation and regulatory notification for affected patients/citizens.
Kill Security operators typically demand $100,000–$2,000,000+ depending on organization size, sector, and data sensitivity. Healthcare organizations report demands of $300,000–$800,000 for encrypted patient records. Government entities report demands of $200,000–$1,000,000+. Negotiation may reduce initial demands by 25–40%. Payment is demanded in cryptocurrency (Bitcoin or Monero).
10 reasons why you should choose the UnderDefense ransomware recovery consulting services:
Get Help NowKill Security (also known as KillSec) is a ransomware-as-a-service operation that originated as an Anonymous-aligned hacktivist collective conducting DDoS attacks and website defacements. The group formally transitioned to ransomware operations in October 2023 and launched formal RaaS in June 2024, establishing themselves as a significant threat to critical infrastructure including healthcare systems, government entities, financial institutions, and manufacturing organizations. The group employs sophisticated attacks targeting high-value organizations and conducts supply chain compromises to access multiple entities simultaneously.
Operational patterns suggest Kill Security operators are based in Eastern Europe or the CIS region. Activity patterns, language in communications, and focus on English-language targeting suggest possible Russian or Ukrainian origin. No definitive geolocation has been published by threat intelligence firms.
Kill Security attacks begin with supply chain compromise (infiltrating managed service providers, SaaS platforms, healthcare software providers) or exploitation of unpatched external-facing applications (Exchange, Fortinet, Cisco, RDP). Attackers establish persistent access and conduct reconnaissance to identify high-value data repositories (patient records, government employee databases, financial records). Over days or weeks, attackers conduct credential dumping using Mimikatz, move laterally using stolen credentials and tools like PsExec, and exfiltrate large quantities of sensitive data to attacker-controlled cloud storage. Finally, the Kill Security ransomware binary is deployed to encrypt all accessible files. Victims are notified via Telegram messages and dark web leak sites.
From initial supply chain compromise or application exploitation to encryption and ransom demand, Kill Security attacks typically span 2–6 weeks. Supply chain compromise to initial reconnaissance may take days; credential dumping and lateral movement occupy 1–3 weeks; data exfiltration spans 1–4 weeks; encryption deployment and victim notification occur within final 24–48 hours.
Kill Security-encrypted files cannot be decrypted without the RSA-2048 private key held by operators. Deletion of the malware stops further encryption but does not recover encrypted files. Recovery requires either paying the ransom for the decryption key (no guarantee of actual key delivery) or restoring from clean backups.
When Kill Security infects your systems, files are encrypted with .killsec extensions and become inaccessible. A ransom note (KillSec_Note.txt or similar) appears on infected systems, directing you to access a Tor website with your unique victim ID. Additionally, your organization is publicly announced on Kill Security’s Telegram channel and dark web leak site, with samples of exfiltrated data published to prove compromise and maximize pressure. You face a choice: (1) pay a substantial ransom ($300K–$1M+ for healthcare/government), (2) attempt recovery from backups, or (3) accept public data publication.
Prevent Kill Security attacks by: (1) conducting rigorous supply chain security audits of all third-party vendors and MSPs with network access; (2) patching all external-facing applications immediately upon release; (3) implementing network segmentation isolating critical systems (clinical, financial, government networks) from general networks; (4) deploying EDR solutions with behavioral detection for reconnaissance and lateral movement; (5) implementing multi-factor authentication on all administrative and vendor accounts; (6) maintaining immutable, off-site backups; (7) implementing detailed audit logging of administrative actions and data access; and (8) conducting quarterly threat-hunting exercises to identify persistence mechanisms.
– Conduct annual supply chain security assessments; audit and monitor all third-party vendor access
– Patch all external-facing applications immediately (Exchange, Fortinet, Cisco, RDP services)
– Implement multi-factor authentication on all administrative and third-party vendor accounts
– Implement network segmentation isolating clinical/financial/government systems from general networks
– Deploy EDR solutions on all critical systems with behavioral detection for reconnaissance and lateral movement
– Enable detailed audit logging for all administrative actions, data access, and credential usage
– Implement firewall rules restricting administrative and vendor access by source IP when possible
– Create daily incremental backups with immutable, off-site storage
– Test backup restoration monthly from all backup systems
– Implement data loss prevention (DLP) tools to detect and alert on bulk data access and exfiltration
– Conduct quarterly threat-hunting exercises identifying persistence mechanisms and unauthorized accounts
– Monitor Telegram channels and dark web leak sites for victim announcements and threat intelligence
Kill Security’s focus on healthcare and government reflects both operational capability and financial incentive. Healthcare organizations operate under strict regulatory requirements (HIPAA) and cannot disclose breaches without expensive patient notification; this creates strong incentive to pay ransoms to avoid notification costs. Government entities possess valuable citizen data (Social Security numbers, personal information) and critical infrastructure access, justifying substantial ransom demands. Healthcare also maintains detailed, valuable personal data (medical histories, insurance information) that is highly valuable on dark markets, creating secondary extortion leverage.
Kill Security originated circa 2021 as an Anonymous-aligned hacktivist collective conducting DDoS attacks and website defacements against government and corporate targets. In October 2023, the group announced recruitment for “technical specialists” to move into ransomware operations, signaling a transition from purely ideological hacking to profit-motivated cybercrime. By June 2024, Kill Security formally launched a RaaS operation with affiliate recruitment and infrastructure. This transition reflects a broader trend in cybercriminal evolution: as law enforcement pressure on traditional ransomware increases, groups diversify their operational models and maintain additional revenue streams beyond encryption-based attacks.