Prominent ransom gang KillSec has demanded ransoms from two new Australian victims on its dark web leak site, including a company that sells cybersecurity solutions.
Brisbane-based technology solutions provider Hexicor and Melbourne-based creative content agency Fancy Films both appeared on the threat actor’s leak site between Tuesday and Wednesday morning, marking eight Australian organisations claimed by KillSec since late 2024.
The breach listing for Hexicor, which services over 1,000 government customers and 1,500 business and corporate customers, showed a portion of apparent Hexicor clients listed in alphabetically organised folders.
The most concerning of these entries included health research outfit AusHealth, prominent service provider for Deaf Australians, Deaf Connect, and a folder maked “DET” which appeared to reference Victoria’s Department of Education.
While KillSec did not disclose precisely what data it has allegedly stolen, its data samples related largely to backups, digital certificates and a range of sensitive system files.
“Company can pay for data deletion,” wrote KillSec.
“Non-company related individuals may contact us to reach an agreement for data purchase.”
Hexicor – which provides services in cybersecurity, IT, data, networks and more – did not respond to Information Age when asked for comment.
Coles, Metro Trains listed in alleged Fancy Films breach
KillSec leaked a notably larger data sample for its second overnight victim, Fancy Films, claiming to have stolen data for such prominent Australian clients as Coles, Melbourne’s Metro Trains, City of Melbourne, Australia Post, NAB, Energy Australia, Peter Maccallum Cancer Centre, the Country Fire Authority (CFA) and dozens more.
The gang was similarly tight-lipped on the nature of its allegedly stolen data, though its leak samples pointed to internal insurance certificates, inventory spreadsheets and submissions to government projects – including details of a past engagement with Australia Post.
Other allegedly leaked folders were labelled “Client Assets” and “Project Files”, while Fancy Films’ known clients largely appeared to match those in KillSec’s dark web listing.
Fancy Films did not respond to a request for comment.
While KillSec did not divulge the methods behind its alleged attacks, Nalin Arachchilage, associate professor in cybersecurity at RMIT University, told Information Age the threat actor appears to follow a double extortion ransomware model where “they exfiltrate data before demanding a ransom”, rather than just encrypting it.
He added the gang’s tactics include the use of phishing campaigns, zero-day vulnerabilities and exploiting misconfigurations in cloud storage environments.
Why Australian companies?
Information Age has observed at least six other Australian KillSec listings since late 2024, the latest of which saw the disclosure of passports allegedly stolen from Sydney-based travel agency Wendy Wu Tours.
Matt Green, principal threat analyst at security firm Rapid7, said KillSec was first observed conducting a “public search for talent” in October 2023, and has gone on to build an active ‘Ransomware-as-a-Service’ (RaaS) platform.
“KillSec has remained highly active in 2025 and its victims have historically come from industries including healthcare, finance, and government,” said Green.
Despite KillSec’s notable uptick in alleged Australian victims, Green noted the group appears to have “no strong geographic preference” beyond avoiding Commonwealth of Independent States (CIS) countries, which includes Russia.
“The variety in victim size and industry reflects an opportunistic strategy rather than targeted campaigns, indicating KillSec will go after any vulnerable organisation,” he said.
“The uptick of victims within Australia showcases the trend in targeting less security-mature organisations in wealthier countries, where ransom payments tend to be more lucrative.”
Notably, KillSec appears to have had little success in extorting ransom payments from its Australian victims, as all Australian companies listed on its site have had their data published rather than taken down.
While the listings on KillSec’s site don’t account for companies which may have paid a ransom in private, Arachchilage suggested the group may have motives beyond ransom extortions.
“KillSec’s recent attacks on Hexicor, Fancy Films, and Wendy Wu Tours highlight an emerging and concerning pattern – targeting mid-sized Australian businesses with high-profile government and corporate clients,” said Arachchilage.
“The pattern of attacks, despite non-payment, suggests financial extortion may not be KillSec’s sole objective.”
He suggested the gangs motivations could include “potential geopolitical motives”, “testing Australia’s defences” or capitalising on data theft for “alternative monetisation” such as identity fraud or dark web sales.
“While KillSec’s affiliations remain unclear, persistent targeting of Australian firms – especially those linked to government clients – raises questions about state-sponsored interests,” he said.
KillSec has threatened to release its allegedly stolen data for Fancy Films and Hexicor under two separate ransom countdown timers which, at the time of publication, read approximately five days.
