North Korean-Led Lazarus Group Linked to Medusa Ransomware Attacks
North Korean State-Sponsored Hackers Linked to Medusa Ransomware Attacks on US Healthcare Organizations
A subgroup of the notorious Lazarus threat group, backed by the North Korean government, has been identified as the perpetrator of a series of Medusa ransomware attacks targeting US healthcare providers. This is the first time researchers have linked the Lazarus group to the Medusa ransomware-as-a-service (RaaS) operation, which emerged in January 2021.
Attack Details
According to a recent report by enterprise cybersecurity firm Symantec, the Lazarus subgroup, possibly Andariel or Stonefly, has been using Medusa in financially motivated cyberattacks against US healthcare organizations. The toolset employed in these attacks shows some association with Diamond Sleet, another North Korean group known for targeting media, defense, and IT industries.
The attackers’ arsenal includes a range of commodity tools, such as the Comebacker backdoor/loader, Blindingcan remote access trojan, ChromeStealer Chrome credential extractor, Infohook information stealer, Mimikatz credential dumping tool, RP_Proxy custom proxy tool, and Curl data transfer tool. These tools enable the hackers to gain unauthorized access to targeted networks, steal sensitive data, and extort ransom payments.
Symantec researchers note that no sectors are immune to North Korean hackers, who continue to engage in cybercrime for financial gain. Unlike some cybercrime outfits that avoid targeting healthcare organizations due to reputational concerns, the Lazarus group appears to have no such constraints.
Impact and Ransom Demands
The Medusa ransomware has targeted multiple healthcare and non-profit organizations in the US, with the gang’s data leak site listing four victims since November 2025. The attackers have demanded ransoms as large as $15 million, although the average payment is reportedly around $260,000. The stolen funds are believed to support espionage operations against entities in the defense, technology, and government sectors in the US, Taiwan, and South Korea.
Mitigation and Response
Symantec has provided a set of indicators of compromise (IoCs) in its report, including network infrastructure data and hashes for the malware used in attacks. These IoCs can help organizations detect and respond to potential Medusa ransomware attacks.
The Lazarus group’s involvement in Medusa ransomware attacks highlights the ongoing threat posed by state-sponsored hackers to US healthcare organizations. As the healthcare sector continues to face an evolving threat landscape, it is essential for organizations to remain vigilant and implement robust cybersecurity measures to protect against these types of attacks.
About Author
English