Medusa Ransomware Attacks in Middle East and U.S. Healthcare Sector

Post Views: 6

North Korean Hacking Group Deploys Medusa Ransomware in Middle East and US Healthcare Attacks

A recent report by Symantec and Carbon Black’s Threat Hunter Team has revealed that the North Korea-linked Lazarus Group has been using Medusa ransomware in attacks targeting entities in the Middle East and the US. The group, also known as Diamond Sleet and Pompilus, was observed using the ransomware-as-a-service (RaaS) operation in an attack against an unnamed entity in the Middle East. Additionally, Broadcom’s threat intelligence division identified the same threat actors in an unsuccessful attack against a US-based healthcare organization.

Medusa Ransomware Attacks

Medusa, launched by the cybercrime group Spearwing in 2023, has claimed over 366 attacks to date. Analysis of the Medusa leak site revealed attacks against four healthcare and non-profit organizations in the US since November 2025, with average ransom demands of $260,000. The victims included a non-profit in the mental health sector and an educational facility for autistic children.

North Korean Hacking Groups and Ransomware

This is not the first instance of North Korean hacking groups using ransomware. In 2021, a Lazarus sub-cluster known as Andariel was observed using bespoke ransomware families like SHATTEREDGLASS and Maui in attacks against entities in South Korea, Japan, and the US. Later, in October 2024, the group was linked to a Play ransomware attack, marking a transition to using off-the-shelf lockers.

According to Dick O’Brien, principal intelligence analyst for the Symantec and Carbon Black Threat Hunter Team, “the motivation is likely pragmatism. Why develop your own ransomware payload when you can use a tried-and-tested threat like Medusa or Qilin?”

Lazarus Group’s Medusa Ransomware Campaign

The Lazarus Group’s Medusa ransomware campaign involves the use of various tools, including RP_Proxy, a custom proxy utility; Mimikatz, a publicly available credential dumping program; Comebacker, a custom backdoor; InfoHook, an information stealer; BLINDINGCAN, a remote access trojan; and ChromeStealer, a tool for extracting stored passwords from the Chrome browser.

The activity has not been tied to any specific Lazarus sub-group, despite the fact that the extortion attacks mirror previous Andariel attacks. The use of Medusa demonstrates that North Korea’s involvement in cybercrime continues unabated, with the group showing no scruples about targeting organizations in the US, including healthcare entities.