North Korean state-backed hackers associated with the Lazarus threat group are targeting U.S. healthcare organizations in extortion attack using the Medusa ransomware.
The Medusa ransomware-as-a-service (RaaS) operation emerged in January 2021 and by February 2025 it impacted over 300 organizations in various critical infrastructure sectors. Since then, the gang claimed at least another 80 victims.
North Korean threat actors have previously been linked to other ransomware strains such as HolyGhost, PLAY, Maui, Qilin, and other malware families. However, this is the first time security researchers associate the actor with Medusa.
In a report today, enterprise cybersecurity company Symantec says that a Lazarus subgroup – possibly Andariel/Stonefly, is now using Medusa in financially-motivated cyberattacks targeting U.S. healthcare providers.
According to the researchers, the toolset used in these attacks also shows some association with Diamond Sleet, another North Korean group that typically targets media, defense, and IT industries.
However, some of the utilities seen in the Medusa ransomware attacks are commodity tools:
- Comebacker – Diamond Sleet-linked backdoor/loader
- Blindingcan – Remote access trojan
- ChromeStealer – Chrome credential extractor
- Infohook – Information stealer
- Mimikatz – Credential dumping tool
- RP_Proxy – Custom proxy tool
- Curl – Data transfer tool
Though not all recent Medusa attacks can be confidently attributed to Lazarus, the average ransom recorded was $260,000, which past litigation has claimed is used to fund espionage operations, including against the defense, technology, and government sectors in the U.S., Taiwan, and South Korea.
The researchers comment that no sectors are “out of reach” for the North Koreans, who have no ethical barriers stopping them from disrupting healthcare operations.
“The switch to Medusa demonstrates that North Korea’s rapacious involvement in cybercrime continues unabated,” comment Symantec researchers.
“While some cybercrime outfits claim to steer clear of targeting healthcare organizations due to the
reputational damage it may attract, Lazaurs doesn’t seem to be in any way constrained.”
Symantec has listed indicators of compromise (IoCs) at the bottom of its report to help defenders catch these attacks early and prevent the encryption of sensitive data.
Modern IT infrastructure moves faster than manual workflows can handle.
In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.