North Korean state-backed hackers related to the Lazarus risk group are focusing on U.S. healthcare organizations in extortion assaults utilizing the Medusa ransomware.
The Medusa ransomware-as-a-service (RaaS) operation emerged in January 2021, and by February 2025, it impacted over 300 organizations in numerous important infrastructure sectors. Since then, the gang claimed at the very least one other 80 victims.
North Korean risk actors have beforehand been linked to different ransomware strains reminiscent of HolyGhost, PLAY, Maui, Qilin, in addition to different malware households. Nonetheless, that is the primary time safety researchers have related the actor with Medusa.
In a report at present, enterprise cybersecurity firm Symantec says {that a} Lazarus subgroup, presumably Andariel/Stonefly, is now utilizing Medusa in financially-motivated cyberattacks focusing on U.S. healthcare suppliers.
In response to the researchers, the toolset utilized in these assaults additionally exhibits some affiliation with Diamond Sleet, one other North Korean group that usually targets media, protection, and IT industries.
Nonetheless, a few of the utilities seen within the Medusa ransomware assaults are commodity instruments:
- Comebacker – Diamond Sleet-linked backdoor/loader (seen utilized by Diamond Sleet)
- Blindingcan – Distant entry trojan
- ChromeStealer – Chrome credential extractor
- Infohook – Info stealer
- Mimikatz – Credential dumping device
- RP_Proxy – Customized proxy device
- Curl – Information switch device
The researchers remark that no sectors are off-limits for North Korean hackers, who maintain getting concerned in cybercrime for monetary achieve.
“Whereas some cybercrime outfits declare to keep away from focusing on healthcare organizations as a result of reputational injury it might entice, Lazaurs doesn’t appear to be in any manner constrained,” Symantec researchers say.
Medusa focused a number of healthcare and non-profit organizations within the U.S., because the gang’s information leak website lists 4 such victims for the reason that starting of November 2025, amongst them an academic facility for autistic kids.
Not all these Medusa assaults might be confidently attributed to Lazarus hackers, although. Medusa can demand ransoms as giant as $15 million, however Symantec researchers say that the typical is round $260,000.
Stolen funds are used to help espionage operations in opposition to entities within the protection, know-how, and authorities sectors within the U.S., Taiwan, and South Korea.
Symantec has offered a set of indicators of compromise (IoCs) in its report, which embrace community infrastructure information and hashes for the malware utilized in assaults.
Trendy IT infrastructure strikes sooner than guide workflows can deal with.
On this new Tines information, learn the way your workforce can scale back hidden guide delays, enhance reliability via automated response, and construct and scale clever workflows on high of instruments you already use.
