Analysis: Lazarus Group Shifts to Medusa Ransomware Targeting U.S. Healthcare
Recently released intelligence from Symantec and Carbon Black reveals that the North Korean cyber threat actor Lazarus Group is intensifying its focus on the U.S. healthcare sector by utilizing Medusa ransomware in its extortion campaigns. This trend continues despite the U.S. indictment in 2024 of Rim Jong Hyok, alleged member of the Lazarus subgroup Stonefly, emphasizing the ongoing and evolving threat landscape posed by state-sponsored actors.
Current data from ransomware monitoring platform Ransomware.live lists 518 confirmed Medusa ransomware victims since the malware’s emergence in 2023, with at least 43 being healthcare organizations. This ransomware-as-a-service model, operated by the Spearwing cybercrime group, has provided an environment for Lazarus Group to expand its cybercriminal activities.
The link between recent attacks and Lazarus Group is further supported by the Threat Hunter Team’s findings. Medusa affiliates deploy the ransomware for a share of the ransom proceeds, suggesting a systematic approach to extortion. According to Dick O’Brien, principal intelligence analyst at Symantec, the overlap of tactics employed in these recent attacks aligns closely with the group’s historical targeting of the healthcare sector, corroborated by Hyok’s previous indictment.
The report emphasizes that the shift to Medusa showcases North Korea’s persistent and audacious approach to cybercrime, illustrating a lack of hesitation in impacting organizations within the United States. Unlike some other cybercriminal entities, which may avoid healthcare targets to mitigate reputational harm, Lazarus Group appears unfazed by such considerations.
Stonefly, previously recognized for its cyberespionage initiatives, has recently ventured into ransomware operations, with a notable increase in public awareness following Hyok’s 2025 indictment for attacks on healthcare providers. The nexus of Stonefly with North Korean military intelligence, particularly the Reconnaissance General Bureau, indicates a structured state-sponsored effort in these attacks.
Despite the deterrent effect that public indictments might typically impose on criminal activities, the Lazarus Group remains undeterred, suggesting either a reckless disregard for exposure or an overriding imperative to generate revenue. The current wave of Medusa ransomware activity is likely rooted in sophisticated tactics that include initial access via social engineering or phishing, persistence through the deployment of backdoors, and potential privilege escalation strategies that align with the MITRE ATT&CK framework.
The array of tools in Lazarus’ arsenal includes the Comebacker backdoor, as well as other malware such as Blindingcan, ChromeStealer, and Mimikatz—each facilitating differing aspects of their operations. This technical diversification, paired with their unflinching focus on the healthcare sector, highlights the critical need for organizations to bolster their defenses against such threats.
For healthcare organizations, the lesson is clear: the risk of cyberattacks remains consistent across industries. A multi-layered defense strategy is essential for protection against ransomware like Medusa. Healthcare entities are advised to ensure rapid application of security updates, robust credential management practices, and the implementation of multifactor authentication—strategies that may prove pivotal in thwarting future attacks.