Blog Details

North Korean instruct-backed hackers connected to the Lazarus threat team are targeting U.S. healthcare organizations in extortion assaults utilizing the Medusa ransomware.

The Medusa ransomware-as-a-service (RaaS) operation emerged in January 2021, and by February 2025, it impacted over 300 organizations in assorted major infrastructure sectors. Since then, the team claimed at the least one other 80 victims.

North Korean threat actors come by beforehand been linked to other ransomware lines equivalent to HolyGhost, PLAY, Maui, Qilin, as neatly as other malware households. On the opposite hand, here’s the foremost time safety researchers come by associated the actor with Medusa.

In a portray nowadays, enterprise cybersecurity firm Symantec says that a Lazarus subgroup, presumably Andariel/Stonefly, is now utilizing Medusa in financially-motivated cyberattacks targeting U.S. healthcare suppliers.

In response to the researchers, the toolset weak in these assaults furthermore reveals some association with Diamond Sleet, one other North Korean team that typically targets media, defense, and IT industries.

On the opposite hand, some of the utilities viewed in the Medusa ransomware assaults are commodity tools:

• Comebacker – Diamond Sleet-linked backdoor/loader (viewed weak by Diamond Sleet)
• Blindingcan – Some distance away receive loyal of entry to trojan
• ChromeStealer – Chrome credential extractor
• Infohook – Knowledge stealer
• Mimikatz – Credential dumping tool
• RP_Proxy – Custom proxy tool
• Curl – Data switch tool

The researchers commentary that no sectors are off-limits for North Korean hackers, who withhold becoming concerned with cybercrime for monetary derive.

“Whereas some cybercrime outfits claim to lead chase of targeting healthcare organizations attributable to the reputational hurt it’ll blueprint, Lazaurs doesn’t seem to be in any formula constrained,” Symantec researchers explain.

Medusa focused multiple healthcare and non-profit organizations in the U.S., because the team’s data leak residing lists four such victims for the explanation that starting of November 2025, among them an academic facility for autistic formative years.

Now no longer all these Medusa assaults might per chance also be confidently attributed to Lazarus hackers, even supposing. Medusa can place a matter to ransoms as big as $15 million, however Symantec researchers explain that the frequent is around $260,000.

Stolen funds are weak to present a lift to espionage operations towards entities in the defense, expertise, and authorities sectors in the U.S., Taiwan, and South Korea.

Symantec has equipped a suite of indicators of compromise (IoCs) in its portray, which embody network infrastructure data and hashes for the malware weak in assaults.