Lazarus Hackers Deploy Medusa Ransomware in Ongoing Extortion Campaigns Against U.S. Healthcare and Nonprofits
A recent investigation conducted by the Symantec and Carbon Black Threat Hunter teams has unveiled that operators associated with the Lazarus hacker group are actively deploying Medusa ransomware in extortion campaigns targeting the U.S. healthcare sector and entities in the Middle East. This development underscores the persistence of North Korean cybercriminals in executing ransomware-driven extortion, even in the face of previous U.S. indictments.
Ongoing Threats to Healthcare and Nonprofits
The investigation highlights claims from recent victims, particularly within healthcare and nonprofit organizations, and documents the use of tools linked to the Lazarus group in these intrusions. Despite legal actions taken against them, these attackers continue to launch extortion attacks against the U.S. healthcare sector. The findings indicate a troubling trend where the North Korean threat cluster remains undeterred by international legal repercussions.
In a report titled “North Korean Lazarus Group Now Working With Medusa Ransomware,” Symantec and Carbon Black detailed evidence of North Korean actors deploying Medusa ransomware in an attack against a target in the Middle East. Notably, these same operators attempted, albeit unsuccessfully, to breach a U.S. healthcare organization.
The Emergence of Medusa Ransomware
Medusa ransomware, operated by the Spearwing cybercrime group, emerged in 2023 as a ransomware-as-a-service (RaaS) operation. This model allows affiliates to deploy the malware in exchange for a share of the ransom proceeds. To date, attackers utilizing Medusa have claimed over 366 victims.
The report indicates that the Lazarus Group is employing a diverse toolkit in its ransomware campaigns. This arsenal includes Comebacker, a custom backdoor and loader exclusive to the group; Blindingcan, a remote access Trojan linked to Lazarus; and ChromeStealer, which extracts stored credentials from the Chrome browser.
Additionally, operators are utilizing Curl, an open-source command-line utility for data transfer; Infohook, an information-stealing malware strain; Mimikatz, a publicly available credential-dumping tool; and RP_Proxy, a custom proxy utility for routing malicious traffic.
Victim Analysis and Ransom Demands
An analysis of the group’s leak site reveals that four U.S. healthcare and nonprofit organizations have been listed since early November 2025, including a mental health nonprofit and an educational facility for autistic children. It remains uncertain whether all incidents are attributable to North Korean operatives or if other Medusa affiliates were involved. The average ransom demand during this period was approximately $260,000.
The report identifies the Lazarus sub-group Stonefly (also known as Andariel) as a significant player in North Korean ransomware attacks in recent years. Initially believed to focus solely on espionage against high-value targets, Stonefly has shifted to ransomware attacks over the past five years.
Legal Repercussions and Funding Espionage
The group’s involvement in digital extortion gained public attention in July 2025, following the indictment of Rim Jong Hyok, a North Korean national, by the U.S. Justice Department. Rim faces charges related to a ransomware campaign targeting U.S. hospitals and other healthcare providers. Allegedly a member of Stonefly, he is linked to the North Korean military intelligence agency, the Reconnaissance General Bureau (RGB).
The indictment sheds light on the motivations behind Stonefly’s transition to ransomware. Reports suggest that the group has been using proceeds from ransomware attacks to fund espionage activities, including operations against the defense, technology, and government sectors in the U.S., Taiwan, and South Korea. Despite the indictment and a $10 million reward for information leading to Rim’s capture, Stonefly has continued its attacks.
In October 2024, Symantec’s Threat Hunter Team found evidence of intrusions against three different U.S. organizations. Although no ransomware was successfully deployed, the attacks appeared financially motivated, targeting private companies without obvious intelligence value. Around the same time, Palo Alto’s Unit 42 reported collaboration with the Play ransomware group.
Attribution Challenges and Malware Analysis
While the current Medusa ransomware attacks are attributed to Lazarus, it remains unclear which specific sub-group is responsible. The tactics, techniques, and procedures (TTPs) observed in these extortion attacks against the U.S. healthcare sector bear similarities to previous Stonefly attacks. However, the malware tools employed are not exclusive to Stonefly; for instance, the Comebacker backdoor has been previously associated with the Pompilus group (also known as Diamond Sleet).
The shift to Medusa indicates that North Korea’s involvement in cybercrime remains relentless. North Korean actors appear to disregard ethical considerations in targeting organizations in the U.S. Unlike some cybercrime groups that avoid healthcare organizations due to potential reputational damage, Lazarus seems unconstrained by such concerns.
In a related development, Symantec revealed that China-based threat actors exploited the ToolShell vulnerability (CVE-2025-53770) to compromise a telecommunications company in the Middle East shortly after it was patched in July 2025. Investigations found that these actors also infiltrated networks of government agencies across multiple countries in Africa and South America, with two government departments in one African nation compromised during the same timeframe.
For further details, refer to the original reporting source: industrialcyber.co.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
