Lazarus Group Deploys Medusa Ransomware in Targeted Attacks on Middle East and U.S. Healthcare Sectors
The North Korean state-sponsored cybercriminal organization, known as the Lazarus Group (also referred to as Diamond Sleet and Pompilus), has been implicated in deploying Medusa ransomware against entities in the Middle East and the United States. This development underscores a significant evolution in the group’s cyberattack strategies.
According to a recent report by the Symantec and Carbon Black Threat Hunter Team, the Lazarus Group executed a Medusa ransomware attack on an undisclosed organization in the Middle East. Additionally, they attempted, albeit unsuccessfully, to infiltrate a U.S. healthcare institution. Medusa, a ransomware-as-a-service (RaaS) platform, was introduced by the cybercrime syndicate Spearwing in 2023 and has since been associated with over 366 attacks.
An analysis of the Medusa leak site revealed that, since November 2025, four healthcare and non-profit organizations in the U.S. have been targeted. These victims include a mental health non-profit and an educational facility for autistic children. It remains uncertain whether these attacks were solely the work of North Korean operatives or involved other Medusa affiliates. The average ransom demand during this period was approximately $260,000.
The Lazarus Group’s engagement with ransomware is not unprecedented. As early as 2021, a subgroup known as Andariel (or Stonefly) targeted entities in South Korea, Japan, and the U.S. using custom ransomware variants like SHATTEREDGLASS, Maui, and H0lyGh0st. In October 2024, the group was linked to a Play ransomware attack, indicating a shift towards utilizing existing ransomware tools rather than developing proprietary ones.
This trend is not isolated to Andariel. In 2025, Bitdefender reported that another North Korean threat actor, Moonstone Sleet, which had previously deployed a custom ransomware named FakePenny, likely targeted South Korean financial institutions using Qilin ransomware.
These developments suggest a strategic pivot among North Korean cyber actors, opting to act as affiliates for established RaaS groups instead of creating their own ransomware. Dick O’Brien, principal intelligence analyst for the Symantec and Carbon Black Threat Hunter Team, commented, The motivation is most likely pragmatism. Why go to the trouble of developing your own ransomware payload when you can use a tried-and-tested threat such as Medusa or Qilin? They may have decided that the benefits outweigh the costs in terms of affiliate fees.
In their Medusa ransomware campaigns, the Lazarus Group has employed a suite of tools, including:
– RP_Proxy: A custom proxy utility.
– Mimikatz: A widely-used credential dumping program.
– Comebacker: A custom backdoor unique to the group.
– InfoHook: An information stealer often used alongside Comebacker.
– BLINDINGCAN (also known as AIRDRY or ZetaNile): A remote access trojan.
– ChromeStealer: A tool designed to extract stored passwords from the Chrome browser.
While these extortion tactics resemble previous operations by Andariel, the current activities have not been definitively linked to any specific Lazarus subgroup. The adoption of Medusa ransomware highlights North Korea’s continued and aggressive involvement in cybercrime. Unlike some cybercriminal organizations that avoid targeting healthcare institutions to maintain their reputation, the Lazarus Group appears unrestrained in its choice of victims, including those in the U.S. healthcare sector.
The Medusa ransomware itself has evolved significantly since its emergence in late 2022. By early 2024, the group behind Medusa had intensified their operations, launching a dedicated data leak site on the dark web to publish sensitive information from victims who refused to meet their ransom demands. This multi-extortion strategy offers victims options such as extending the ransom payment deadline, deleting the stolen data, or downloading all the data, each with a corresponding price tag.
Medusa has targeted a diverse range of industries, including high technology, education, manufacturing, healthcare, and retail. In 2023 alone, the ransomware impacted approximately 74 organizations, predominantly in the U.S., the U.K., France, Italy, Spain, and India.
The group’s attack methodology often involves exploiting internet-facing assets or applications with known vulnerabilities and leveraging legitimate accounts, sometimes through initial access brokers. For instance, in one observed case, a Microsoft Exchange Server was compromised to upload a web shell, which was then used to install and execute the ConnectWise remote monitoring and management software.
A notable aspect of Medusa’s operations is the use of living-off-the-land techniques, which utilize legitimate system tools to evade detection. Additionally, the group has employed kernel drivers to terminate security products, further complicating detection and mitigation efforts.
The Lazarus Group’s recent activities underscore the persistent and evolving threat posed by state-sponsored cyber actors. Their willingness to target critical sectors, such as healthcare, highlights the need for robust cybersecurity measures and international cooperation to combat these sophisticated threats.
