North Korea's state-sponsored Lazarus Group has added yet another ransomware strain to its arsenal. New research from the Symantec and Carbon Black Threat Hunter Team reveals that the group has been observed deploying Medusa ransomware in an attack against an unnamed entity in the Middle East and, separately, attempting an unsuccessful breach of a healthcare organization in the United States.
The findings represent a notable evolution in Lazarus's tactics. The group has previously been linked to the Maui and Play ransomware families, and the pivot to Medusa signals that North Korean cyber actors continue to diversify their extortion toolkit—undeterred by law enforcement attention or international scrutiny.
What is Medusa?
Medusa is a ransomware-as-a-service (RaaS) platform operated by the cybercrime group Spearwing. Launched in 2023, Medusa follows the now-familiar affiliate model: cybercriminal partners deploy the ransomware and split the ransom proceeds with the platform's operators. Since its debut, Medusa affiliates have claimed responsibility for more than 366 attacks globally.
Analysis of Medusa's public leak site—where operators post victim data to pressure payment—reveals that four U.S. healthcare and non-profit organizations have been listed as victims since early November 2025. Among those listed are a mental health non-profit and a school serving autistic children. The average ransom demand across this period was approximately $260,000.
It remains unclear whether all of these victims were targeted specifically by North Korean Lazarus operators or by other Medusa affiliates acting independently.
A pattern that keeps growing
Lazarus's foray into ransomware is not new, but its scope continues to expand. The Lazarus sub-group Stonefly—also tracked as Andariel, and linked to North Korea's Reconnaissance General Bureau (RGB)—has been at the center of many of these extortion campaigns. In July 2025, the U.S. Justice Department indicted North Korean national Rim Jong Hyok on charges related to ransomware attacks against U.S. hospitals and healthcare providers, alleging that ransomware proceeds were funneled back to fund state-sponsored espionage operations.
The indictment, paired with a $10 million reward for information on Rim, has done little to slow the group's pace. As recently as October 2024, Symantec's Threat Hunter Team documented intrusions into three separate U.S. organizations, and Palo Alto Unit 42 reported Lazarus affiliates collaborating with the Play ransomware group in the same month.
"The switch to Medusa demonstrates that North Korea's rapacious involvement in cybercrime continues unabated," according to the Symantec Threat Hunter Team. "North Korean actors appear to have few scruples about targeting organizations in the U.S."
Expert perspective: why soft targets?
The deliberate targeting of mental health organizations and schools serving vulnerable populations has not gone unnoticed in the security community. Jason Soroko, Senior Fellow at Sectigo, says the target selection is strategic—and cynical.
"Striking facilities dedicated to mental health and autistic children demonstrates that these actors prioritize maximum emotional leverage to ensure swift ransom payments," Soroko said. "The relatively modest average ransom demand suggests a volume-based approach where threat actors target chronically underfunded sectors that simply cannot afford prolonged operational downtime. Network defenders must recognize that foreign adversaries are no longer solely hunting major enterprises and are actively exploiting the softest targets in the American healthcare ecosystem."
The $260,000 average demand is telling. Compared to multimillion-dollar ransoms levied against large enterprises, the figure is modest; but for a cash-strapped nonprofit or small healthcare provider, it can be existential. Attackers appear to be calibrating demands to maximize payment rates, not maximize individual payouts.
Healthcare's persistent security gap
James Maude, Field CTO at BeyondTrust, says the healthcare sector's continued vulnerability to ransomware is the product of long-standing underinvestment in security—and that the problem extends well beyond the healthcare organizations themselves.
"Healthcare has historically been less prepared for cyber risks than other industries, and attackers are increasingly taking advantage of this," Maude said. "The security challenges extend beyond the healthcare providers themselves, with almost a third of breaches involving the compromise of third parties. Ransomware, once a rare occurrence in healthcare, is now on the top of most providers' agendas as legacy remote access solutions provide a quick entry point to land and expand with severe consequences."
Maude argues that the industry needs to fundamentally shift its defensive posture—moving from post-breach response thinking to identity-centric prevention. "Ransomware and other threats are only as effective as the privileges and access they manage to acquire so if we can implement better hygiene, and place emphasis on least privilege, then the threat actors are far less likely to ransomware us in the first place."
He also points to the growing role of real-time behavioral monitoring in healthcare security. "Modern healthcare organizations are also incorporating real-time session monitoring with their security tooling to perform behavioral analytics and generate automated alerts. Any anomalous vendor behaviors, such as unusual file exports or unexpected command-line launches, are detected and halted before they can escalate into breaches."
Lazarus toolset in active campaigns
According to Symantec's research, Lazarus operators in the current Medusa campaigns are deploying a mix of custom and publicly available tools, including:
-
Comebacker – a custom backdoor and loader exclusively associated with Lazarus
-
Blindingcan – a remote access Trojan (RAT) linked to the group
-
ChromeStealer – used to extract stored passwords from Chrome
-
Mimikatz – a publicly available credential dumping tool
-
Infohook – information-stealing malware
-
RP_Proxy – a custom proxying tool
Attribution within Lazarus's internal structure remains somewhat murky. While the TTPs—extortion campaigns targeting U.S. healthcare—are consistent with Stonefly, the presence of Comebacker, a tool previously linked to the Pompilus group (also known as Diamond Sleet), complicates clean attribution to any single sub-group.
What organizations should do
For healthcare and non-profit organizations that may be in Lazarus's crosshairs, the immediate priorities are clear: patch legacy remote access solutions, enforce least-privilege access controls across users and third-party vendors, and implement behavioral monitoring to detect anomalous activity before it escalates.
Indicators of compromise from Symantec's research—including file hashes and network indicators associated with Medusa and Comebacker—are available in the full Symantec report at security.com.
The broader message from this research is sobering: nation-state ransomware operators are no longer limiting their targets to high-value enterprises with deep pockets. The softest targets in American civil society are now firmly in their sights—and indictments, reward offers, and diplomatic pressure have done little to change that calculus.
Follow SecureWorld News for more stories related to cybersecurity.
