# **North Korea's Lazarus Group Takes Aim at Healthcare Organizations with Medusa Ransomware**

In a recent development, North Korea's notorious Lazarus Group has been spotted using Medusa ransomware in extortion attacks targeting healthcare organizations in the United States and elsewhere, according to threat hunters Symantec and Carbon Black. This latest tactic marks a significant shift in the group's arsenal, as it looks to capitalize on the vulnerabilities of critical infrastructure sectors.

The Medusa ransomware operation, spearheaded by the Spearwing cybercrime group, has been active since 2023 and has already claimed over 366 attacks across various industries, including medical, education, legal, insurance, technology, and manufacturing. The Lazarus Group's decision to utilize Medusa in its campaigns is a notable move, as it signals continued involvement in high-stakes cybercrime activities.

The ransom demand for the four-month period averaged around $260,000, with four US healthcare organizations falling victim to the attacks. These include a mental health nonprofit and an educational facility for autistic children, highlighting the group's persistence in targeting critical sectors.

The Medusa data-leak site since November 2025 has listed nearly 30 victim organizations, with four being healthcare-related institutions. While it is unclear whether all these victims were targeted by North Korean operatives or if other Medusa affiliates were responsible for some of these attacks, the attackers have consistently demonstrated a willingness to adapt and evolve their tactics.

The Lazarus Group's involvement in ransomware attacks is not new; its most prolific subgroups, including Andariel (aka Stonefly, Onyx Sleet, and Silent Chollima), have previously used Maui and Play ransomware in their intrusions. The group's activities have been consistently linked to North Korea's military intelligence agency, the Reconnaissance General Bureau (RGB).

The recent Medusa ransomware attacks are "undoubtedly the work of Lazarus," according to threat hunters, but the exact subgroup responsible is unclear. While the TTPs (extortion attacks against the US healthcare sector) show similarities with previous Stonefly attacks, the malware tools used do not exclusively belong to Stonefly.

The report highlights several file indicators for Medusa ransomware, including a custom backdoor and loader called Comebacker that's exclusively associated with Lazarus, as well as other malware and suspicious files observed in these campaigns. This suggests that North Korea's cybercrime activities continue unabated, with the Lazarus Group demonstrating an unwavering commitment to using various tactics and tools at its disposal.

In conclusion, the Medusa ransomware operation represents a significant development in the Lazarus Group's arsenal, highlighting the ongoing threat posed by North Korean state-sponsored offensive cyber operations. As healthcare organizations and other critical infrastructure sectors continue to be targeted by these threats, it is essential that cybersecurity professionals remain vigilant and adapt their defenses accordingly.

### Key Takeaways:

* North Korea's Lazarus Group has begun using Medusa ransomware in extortion attacks targeting at least one US healthcare organization and an unnamed victim in the Middle East. * The attackers have claimed over 366 Medusa-affiliated attacks since its inception in 2023, with a significant presence across various critical sectors. * The recent Medusa ransomware attacks are "undoubtedly the work of Lazarus," but the exact subgroup responsible is unclear. * Threat hunters highlight several file indicators for Medusa ransomware, including a custom backdoor and loader called Comebacker exclusively associated with Lazarus.

### Relevant Keywords:

* Ransomware * Lazarus Group * North Korea * Cybercrime * Healthcare organizations * Data breach * Malware * Vulnerability

Note: The blog post is written in a formal and informative tone, incorporating relevant keywords naturally throughout the content. It provides a comprehensive overview of the Medusa ransomware operation and its association with North Korea's Lazarus Group, highlighting key takeaways and relevant keywords for SEO purposes.