No products in the cart.

Home News Lazarus Group Deploys Medusa Ransomware Against U.S. and Middle East Healthcare

News

Lazarus Group Deploys Medusa Ransomware Against U.S. and Middle East Healthcare

scsecFebruary 25, 20261 Mins read8 Views

Lazarus Group Deploys Medusa Ransomware Against Middle East and U.S. Healthcare Targets

The North Korea-linked Lazarus Group, also known as Diamond Sleet and Pompilus, has been observed using Medusa ransomware in cyberattacks targeting a Middle Eastern entity and a healthcare organization in the U.S., according to a report from Symantec and the Carbon Black Threat Hunter Team.

Medusa is a ransomware-as-a-service (RaaS) operation run by the cybercrime group Spearwing since 2023, claiming over 366 attacks to date. Analysis of the Medusa leak site revealed that since November 2025, at least four U.S.-based healthcare and non-profit organizations have been victims. These included a mental health non-profit and an educational facility for autistic children. The average ransom demand during this period was approximately $260,000. It is unclear whether North Korean operatives were responsible for all these attacks or if other Medusa affiliates were involved.

North Korean Ransomware Trends
The Lazarus Group has a history of ransomware attacks. In 2021, a sub-group called Andariel (aka Stonefly) targeted entities in South Korea, Japan, and the U.S. using custom ransomware families such as SHATTEREDGLASS, Maui, and H0lyGh0st. By October 2024, Lazarus was also linked to the Play ransomware, signaling a shift toward using off-the-shelf ransomware to extort victims.

Other North Korean actors have shown similar tactics. Moonstone Sleet, previously deploying a custom ransomware called FakePenny, reportedly targeted South Korean financial firms using Qilin ransomware. This indicates a strategic shift where North Korean hackers are operating as affiliates of established RaaS groups rather than developing their own malware.

Motivation and Tools
According to Dick O’Brien, principal intelligence analyst at Symantec and Carbon Black, the decision to use established ransomware like Medusa or Qilin is driven by pragmatism—reducing development costs while maintaining high impact.

Lazarus Group’s Medusa ransomware campaigns utilize a range of tools, including:

RP_Proxy – custom proxy utility
Mimikatz – credential dumping program
Comebacker – custom backdoor
InfoHook – information stealer used with Comebacker
BLINDINGCAN (aka AIRDRY/ZetaNile) – remote access trojan
ChromeStealer – extracts saved passwords from Chrome

While the extortion attacks resemble prior Andariel activity, they have not been tied to a specific Lazarus sub-group.

Implications
The use of Medusa ransomware underscores North Korea’s ongoing engagement in cybercrime. Unlike some cybercriminal groups that avoid healthcare targets due to reputational concerns, Lazarus appears unconstrained in targeting organizations globally, including in the U.S.

Previous post Romanian Hacker Extradited to US for $250K Oregon State Network Breach

Next post Spain Arrests Key Members of Anonymous Fénix Hacktivist Group

1 Comment

scsec says:

February 25, 2026 at 09:07

*”Lazarus Group’s use of Medusa ransomware shows how state-linked hackers are increasingly targeting healthcare globally. Strong cybersecurity measures are more critical than ever.”*

Reply