North Korean Lazarus Group Linked to Medusa Ransomware Attacks on U.S. Healthcare

North Korean state-backed hackers associated with the Lazarus threat group are targeting U.S. healthcare organizations in extortion attacks using the Medusa ransomware. The Medusa ransomware-as-a-service (RaaS) operation emerged in January 2021, and by February 2025, it impacted over 300 organizations in various critical infrastructure sectors. Since then, the gang claimed at least another 80 victims.

North Korean threat actors have previously been linked to other ransomware strains such as HolyGhost, PLAY, Maui, Qilin, as well as other malware families. However, this is the first time security researchers have associated the actor with Medusa.

In a report today, enterprise cybersecurity company Symantec says that a Lazarus subgroup, possibly Andariel/Stonefly, is now using Medusa in financially-motivated cyberattacks targeting U.S. healthcare providers.

According to the researchers, the toolset used in these attacks also shows some association with Diamond Sleet, another North Korean group that typically targets media, defense, and IT industries. However, some of the utilities seen in the Medusa ransomware attacks are commodity tools:

• Comebacker – Diamond Sleet-linked backdoor/loader (seen used by Diamond Sleet)
• Blindingcan – Remote access trojan
• ChromeStealer – Chrome credential extractor
• Infohook – Information stealer
• Mimikatz – Credential dumping tool
• RP_Proxy – Custom proxy tool
• Curl – Data transfer tool

The researchers comment that no sectors are off-limits for North Korean hackers, who keep getting involved in cybercrime for financial gain. "While some cybercrime outfits claim to steer clear of targeting healthcare organizations due to the reputational damage it may attract, Lazarus doesn't seem to be in any way constrained," Symantec researchers say.

Medusa targeted multiple healthcare and non-profit organizations in the U.S., as the gang's data leak site lists four such victims since the beginning of November 2025, among them an educational facility for autistic children. Not all these Medusa attacks can be confidently attributed to Lazarus hackers, though.

Medusa can demand ransoms as large as $15 million, but Symantec researchers say that the average is around $260,000. Stolen funds are used to support espionage operations against entities in the defense, technology, and government sectors in the U.S., Taiwan, and South Korea.

Symantec has provided a set of indicators of compromise (IoCs) in its report, which include network infrastructure data and hashes for the malware used in attacks.

Why This Matters

This development represents a significant escalation in North Korean cyber operations. The Lazarus Group, also known as APT38, has long been associated with high-profile attacks including the 2014 Sony Pictures hack and the 2016 Bangladesh Bank heist. Their pivot to targeting healthcare organizations with ransomware demonstrates both their adaptability and their willingness to cross ethical lines that even other criminal groups avoid.

Healthcare organizations are particularly vulnerable targets because:

1. They often operate with limited cybersecurity budgets
2. Patient care systems cannot afford extended downtime
3. The sensitive nature of medical data makes them more likely to pay ransoms
4. Legacy medical devices may run outdated software with unpatched vulnerabilities

Technical Analysis

The use of both custom tools (like RP_Proxy) and commodity malware suggests a hybrid approach that maximizes efficiency while maintaining operational security. The presence of tools associated with Diamond Sleet indicates possible collaboration or shared resources between North Korean APT groups.

Key technical indicators include:

• Network infrastructure: Symantec's IoCs include specific IP addresses and domains used in command and control communications
• File hashes: Malware samples can be identified through their unique cryptographic signatures
• TTPs: The attack pattern follows typical ransomware deployment but with North Korean-specific tooling

Protection Recommendations

Organizations in the healthcare sector should implement the following measures:

Immediate Actions:

• Review and implement Symantec's provided IoCs to detect and block known malicious infrastructure
• Ensure all systems are patched with the latest security updates
• Implement network segmentation to limit lateral movement
• Enable multi-factor authentication across all systems

Long-term Strategies:

• Develop and regularly test incident response plans
• Conduct security awareness training focused on phishing and social engineering
• Implement robust backup strategies with offline copies
• Consider cyber insurance that covers ransomware incidents
• Engage with threat intelligence services to stay informed about emerging threats

Technical Controls:

• Deploy endpoint detection and response (EDR) solutions
• Implement application whitelisting to prevent unauthorized software execution
• Use network monitoring tools to detect anomalous behavior
• Regularly conduct vulnerability assessments and penetration testing

The Bigger Picture

This attack pattern fits into a broader trend of nation-state actors engaging in financially-motivated cybercrime. North Korea has been particularly aggressive in this regard, using cyber operations to generate revenue for its regime in the face of international sanctions.

The targeting of healthcare organizations represents a moral low point, as these attacks can directly impact patient care and potentially cost lives. Unlike traditional cybercrime groups that may avoid healthcare due to public backlash, state-sponsored actors face no such reputational constraints.

The use of RaaS platforms like Medusa also indicates a professionalization of the cybercrime ecosystem, where specialized groups can leverage sophisticated tools without developing them in-house. This lowers the barrier to entry for conducting advanced attacks and increases the overall threat landscape.

Related Incidents

This is not an isolated incident. Recent ransomware attacks have targeted various sectors:

• Covenant Health: Data breach impacted nearly 478,000 patients
• Advantest: Japanese tech giant hit by ransomware attack
• Mississippi medical center: Closed all clinics after ransomware attack
• BeyondTrust RCE flaw: Now exploited in ransomware attacks

These incidents underscore the persistent and evolving nature of the ransomware threat, particularly when combined with state sponsorship and sophisticated APT capabilities.

Looking Forward

The healthcare sector must recognize that it is now squarely in the crosshairs of sophisticated nation-state actors. Traditional security measures may be insufficient against adversaries with the resources and capabilities of groups like Lazarus.

Organizations need to adopt a defense-in-depth approach, combining technical controls, employee training, incident response planning, and threat intelligence to create a comprehensive security posture. The stakes are too high to treat cybersecurity as anything less than a critical business function.