In a significant escalation of state-linked cybercrime activity, North Korea’s Lazarus Group has been associated with extortion campaigns using Medusa ransomware, targeting healthcare and nonprofit organizations across the United States.

Security researchers analyzing recent campaigns found that a Lazarus subgroup — potentially Andariel/Stonefly — is deploying Medusa as part of financially motivated attacks against U.S. healthcare providers.

Medusa operates as a ransomware-as-a-service (RaaS) platform that emerged in early 2021 and has since impacted hundreds of organizations in critical sectors worldwide, including healthcare, education, and manufacturing.

Attack Summary

What’s New With Medusa and Lazarus?

Historically known for espionage, crypto theft and destructive malware, the Lazarus threat group has increasingly mixed financially driven tactics with state goals. This marks the first publicly confirmed instance of Lazarus operators leveraging Medusa ransomware at scale in extortion attacks.

Researchers note that Medusa is typically used by independent cybercriminal affiliates but appears now to be co-opted by a state-linked actor that has previously favored strains like MauI, HolyGhost, PLAY, and Qilin.

The deployment shows a multi-stage attack chain, where threat actors first compromise environments using a toolkit that includes backdoors and credential stealers before finalizing with Medusa ransomware to extort victims.

Targets and Impact

Symantec’s threat intelligence division reported multiple claimed victims on the Medusa data leak site, including:

• Healthcare providers

• Nonprofit organizations

• An educational facility for children with autism

While not every incident on the Medusa portal can be confidently attributed to Lazarus, observed overlaps in tactics and tooling have raised alarms across the cybersecurity community.

Motive: Beyond Ransom

Unlike many cybercrime groups that avoid critical sectors for reputational concerns, Lazarus appears unconstrained in targeting healthcare systems — even those serving vulnerable populations.

Stolen funds from ransom payments are believed to support broader espionage operations and financial objectives tied to North Korean state interests.

Indicators of Compromise (IoCs)

Symantec’s report includes IoCs such as malicious network infrastructure and file hashes tied to the Medusa ransomware and associated tools observed in attacks.

Organizations should use these IoCs to update detection and response tools as part of broader ransomware defenses.

What This Means for Defenders?

The involvement of a nation-state actor using established ransomware families underscores the evolving threat landscape, where geopolitical actors adopt criminal tools to blend attribution and complicate defense.

Security teams in healthcare and critical sectors should review ransomware readiness — including backups, network segmentation, MFA, patching, and incident response playbooks — in light of this development.

Disclaimer: ClearPhish maintains a strict policy of not participating in the theft, distribution, or handling of stolen data or files. The platform does not engage in exfiltration, downloading, hosting, or reposting any illegally obtained information. Any responsibility or legal inquiries regarding the data should be directed solely at the responsible cybercriminals or attackers, as ClearPhish is not involved in these activities. We encourage parties affected by any breach to seek resolution through legal channels directly with the attackers responsible for such incidents.