• North Korean Lazarus group linked to Medusa ransomware attacks February 24, 2026 06:00 AM 0 North Korean state-backed hackers associated with the Lazarus threat group are targeting U.S. • healthcare organizations in extortion attacks using the Medusa ransomware. • The Medusa ransomware-as-a-service (RaaS) operation emerged in January 2021, and by February 2025, itimpacted over 300 organizationsin various critical infrastructure sectors. • Since then, the gang claimed at least another 80 victims. • North Korean threat actors have previously been linked to other ransomware strains such asHolyGhost,PLAY,Maui,Qilin, as well asother malware families. • However, this is the first time security researchers have associated the actor with Medusa.

Article Summaries:

  • North Korean state‑backed hackers linked to the Lazarus threat group are now using the Medusa ransomware‑as‑a‑service (RaaS) platform to extort U.S. healthcare organizations. Symantec’s latest report identifies a Lazarus subgroup-possibly Andariel/Stonefly-as the operator, noting that Medusa has already impacted more than 300 critical‑infrastructure entities since its 2021 debut and added 80 victims in 2025. The attacks employ a mix of commodity tools (e.g., Mimikatz, ChromeStealer) and a Diamond Sleet‑linked backdoor, indicating cross‑group collaboration. While Medusa can demand up to $15 million, the average ransom is around $260,000. Symantec released indicators of compromise to aid detection.
  • North Korean state‑backed hackers from the Lazarus group are now using the Medusa ransomware‑as‑a‑service (RaaS) platform to extort U.S. healthcare providers, a first for the actor. Symantec’s report links a Lazarus subgroup-possibly Andariel/Stonefly-to Medusa, noting the gang’s use of commodity tools such as Mimikatz and ChromeStealer. Medusa has already impacted over 300 critical‑infrastructure organizations and added at least 80 more victims since early 2025, with ransoms averaging $260,000 (up to $15 million). The stolen funds reportedly support North Korean espionage against U.S., Taiwan, and South Korean targets. Symantec released indicators of compromise to aid detection.

Sources: