INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

North Korea's Lazarus Group targets healthcare orgs with Medusa ransomware

| 2026-02-24 18:25 CRITICAL LOW
JSON
Executive Summary AI-generated
North Korea's Lazarus Group has begun using Medusa ransomware in extortion attacks targeting at least one US healthcare organization and an unnamed victim in the Middle East, according to Symantec and Carbon Black threat hunters. The group's use of this malware is a significant escalation from previous attempts, which failed to hit any targets. This latest development marks another chapter in North Korea's ongoing cybercrime spree, with many victims operating in critical sectors such as healthcare, education, and technology.
Technical Mitigations AI-generated
* Implement regular security updates and patches for all systems, including operating systems, applications, and software to ensure that known vulnerabilities are addressed. * Use a secure file system and encryption methods to protect sensitive data both at rest and in transit. * Conduct regular network traffic analysis and monitoring to detect potential suspicious activity or anomalies. * Educate users on phishing attacks, social engineering tactics, and other types of cyber threats to prevent them from falling victim to these types of attacks. * Use a reputable antivirus solution that can detect and remove malware, including ransomware like Medusa.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Moonstone SleetMoonstone SleetAndarielAndarielLazarus GroupLazarus Group Medusa RansomwareMedusa RansomwareQilinQilinWannaCryWannaCryBLINDINGCANBLINDINGCANCarbonCarbon
Target & Sectors
DPRK DPRK MIDDLE_EAST MIDDLE_EAST NORTH_AMERICA NORTH_AMERICA technologytechnology defensedefense healthhealth legallegal manufacturingmanufacturing healthcarehealthcare educationeducation
Incident Timeline
July 2024
North Korea's Lazarus Group used Medusa ransomware to target healthcare organizations.
industry Healthcare
A year prior, in July 2024, the US Justice Department charged Rim Jong Hyok , a North Korean national and another alleged Andariel member, for his involvement in a series of ransomware attacks on US hospitals and healthcare providers, defense companies, NASA, and even a Chinese target.
tactic Ransomware
A year prior, in July 2024, the US Justice Department charged Rim Jong Hyok , a North Korean national and another alleged Andariel member, for his involvement in a series of ransomware attacks on US hospitals and healthcare providers, defense companies, NASA, and even a Chinese target.
target_region DPRK
A year prior, in July 2024, the US Justice Department charged Rim Jong Hyok , a North Korean national and another alleged Andariel member, for his involvement in a series of ransomware attacks on US hospitals and healthcare providers, defense companies, NASA, and even a Chinese target.
source_region United States
A year prior, in July 2024, the US Justice Department charged Rim Jong Hyok , a North Korean national and another alleged Andariel member, for his involvement in a series of ransomware attacks on US hospitals and healthcare providers, defense companies, NASA, and even a Chinese target.
threat_actor Andariel
A year prior, in July 2024, the US Justice Department charged Rim Jong Hyok , a North Korean national and another alleged Andariel member, for his involvement in a series of ransomware attacks on US hospitals and healthcare providers, defense companies, NASA, and even a Chinese target.
industry Defense
A year prior, in July 2024, the US Justice Department charged Rim Jong Hyok , a North Korean national and another alleged Andariel member, for his involvement in a series of ransomware attacks on US hospitals and healthcare providers, defense companies, NASA, and even a Chinese target.
organisation the US Justice Department
A year prior, in July 2024, the US Justice Department charged Rim Jong Hyok , a North Korean national and another alleged Andariel member, for his involvement in a series of ransomware attacks on US hospitals and healthcare providers, defense companies, NASA, and even a Chinese target.
organisation NASA
A year prior, in July 2024, the US Justice Department charged Rim Jong Hyok , a North Korean national and another alleged Andariel member, for his involvement in a series of ransomware attacks on US hospitals and healthcare providers, defense companies, NASA, and even a Chinese target.
target_region China
A year prior, in July 2024, the US Justice Department charged Rim Jong Hyok , a North Korean national and another alleged Andariel member, for his involvement in a series of ransomware attacks on US hospitals and healthcare providers, defense companies, NASA, and even a Chinese target.
organisation Comebacker
" In its report, the security shop included a long list of file indicators for Medusa ransomware, a custom backdoor and loader called Comebacker that's exclusively associated with Lazarus, a remote access trojan called Blindingcan that's associated with Lazarus, and other malware and suspicious files observed in these campaigns.
October 2024
North Korea's Lazarus Group used Medusa ransomware to target healthcare organizations.
tactic Ransomware
Then, in October 2024, the hacking crew was also linked to a Play ransomware attack , marking the transition to an off-the-shelf locker to encrypt victim systems and demand a ransom.
2025-02-24
North Korea's Lazarus Group used Qilin ransomware to target several South Korean healthcare organizations on February 24, 2025.
tactic Ransomware
Last year, Bitdefender revealed that another North Korean threat actor tracked as Moonstone Sleet, which previously dropped a custom ransomware family called FakePenny, had likely targeted several South Korean financial firms with Qilin ransomware.
source_region DPRK
Last year, Bitdefender revealed that another North Korean threat actor tracked as Moonstone Sleet, which previously dropped a custom ransomware family called FakePenny, had likely targeted several South Korean financial firms with Qilin ransomware.
target_region Korea, Republic of
Last year, Bitdefender revealed that another North Korean threat actor tracked as Moonstone Sleet, which previously dropped a custom ransomware family called FakePenny, had likely targeted several South Korean financial firms with Qilin ransomware.
threat_actor Moonstone Sleet
Last year, Bitdefender revealed that another North Korean threat actor tracked as Moonstone Sleet, which previously dropped a custom ransomware family called FakePenny, had likely targeted several South Korean financial firms with Qilin ransomware.
organisation FakePenny
Last year, Bitdefender revealed that another North Korean threat actor tracked as Moonstone Sleet, which previously dropped a custom ransomware family called FakePenny, had likely targeted several South Korean financial firms with Qilin ransomware.
malware Qilin
Last year, Bitdefender revealed that another North Korean threat actor tracked as Moonstone Sleet, which previously dropped a custom ransomware family called FakePenny, had likely targeted several South Korean financial firms with Qilin ransomware.
March 2025
North Korea's Lazarus Group used Medusa ransomware to target healthcare organizations, including those in critical sectors such as medical and education.
source_region United States
Many of these victims operate in critical sectors including medical, education, legal, insurance, technology, and manufacturing, according to a March 2025 security alert from the FBI and the US Cybersecurity and Infrastructure Security Agency (CISA).
industry Education
Many of these victims operate in critical sectors including medical, education, legal, insurance, technology, and manufacturing, according to a March 2025 security alert from the FBI and the US Cybersecurity and Infrastructure Security Agency (CISA).
industry Legal
Many of these victims operate in critical sectors including medical, education, legal, insurance, technology, and manufacturing, according to a March 2025 security alert from the FBI and the US Cybersecurity and Infrastructure Security Agency (CISA).
industry Technology
Many of these victims operate in critical sectors including medical, education, legal, insurance, technology, and manufacturing, according to a March 2025 security alert from the FBI and the US Cybersecurity and Infrastructure Security Agency (CISA).
industry Manufacturing
Many of these victims operate in critical sectors including medical, education, legal, insurance, technology, and manufacturing, according to a March 2025 security alert from the FBI and the US Cybersecurity and Infrastructure Security Agency (CISA).
attribution FBI
Many of these victims operate in critical sectors including medical, education, legal, insurance, technology, and manufacturing, according to a March 2025 security alert from the FBI and the US Cybersecurity and Infrastructure Security Agency (CISA).
threat_actor Andariel
One of Lazarus' most prolific subgroups is Andariel (aka Stonefly, Onyx Sleet, and Silent Chollima), which acts as the cyber-arm of North Korea's military intelligence agency, the Reconnaissance General Bureau (RGB).
Andariel has previously used Maui and Play ransomware in its intrusions.
The US issued sanctions against Andariel and Lazarus Group in 2019, and in July also sanctioned an alleged member of Andariel , 38-year-old Song Kum Hyok, a North Korean accused of attempting to hack the Treasury Department and posing as an IT worker to collect revenue and secret data for Pyongyang.
organisation Sony Pictures
It's probably best known for the 2014 Sony Pictures hack and 2017's WannaCry ransomware attack .
organisation Maui
Andariel has previously used Maui and Play ransomware in its intrusions.
threat_actor Lazarus Group
The US issued sanctions against Andariel and Lazarus Group in 2019, and in July also sanctioned an alleged member of Andariel , 38-year-old Song Kum Hyok, a North Korean accused of attempting to hack the Treasury Department and posing as an IT worker to collect revenue and secret data for Pyongyang.
Lazarus Group is an umbrella term for North Korean state-sponsored offensive cyber operations that include cryptocurrency theft , extortion attacks, and IT worker scams .
organisation the Treasury Department
The US issued sanctions against Andariel and Lazarus Group in 2019, and in July also sanctioned an alleged member of Andariel , 38-year-old Song Kum Hyok, a North Korean accused of attempting to hack the Treasury Department and posing as an IT worker to collect revenue and secret data for Pyongyang.
November 2025
North Korean operatives used Medusa ransomware to target four healthcare and nonprofit organizations in the US.
industry Healthcare
Of the nearly 30 victim organizations listed on the Medusa data-leak site since November 2025, four are healthcare and nonprofit organizations in the US, including a mental health nonprofit and an educational facility for autistic children.
"Analysis of the Medusa leak site reveals attacks against four healthcare and non-profit organizations in the U.S. since the beginning of November 2025," the company said in a report shared with The Hacker News.
target_region United States
Of the nearly 30 victim organizations listed on the Medusa data-leak site since November 2025, four are healthcare and nonprofit organizations in the US, including a mental health nonprofit and an educational facility for autistic children.
industry Health
Of the nearly 30 victim organizations listed on the Medusa data-leak site since November 2025, four are healthcare and nonprofit organizations in the US, including a mental health nonprofit and an educational facility for autistic children.
victims 30 victim organizations
Of the nearly 30 victim organizations listed on the Medusa data-leak site since November 2025, four are healthcare and nonprofit organizations in the US, including a mental health nonprofit and an educational facility for autistic children.
organisation The Hacker News
"Analysis of the Medusa leak site reveals attacks against four healthcare and non-profit organizations in the U.S. since the beginning of November 2025," the company said in a report shared with The Hacker News.
organisation Spearwing
Medusa , a ransomware-as-a-service operation run by the Spearwing cybercrime group, has been around since 2023.
organisation Affiliates
Affiliates use Medusa's ransomware variants and infrastructure in exchange for a percentage of the extortion payments, and more than 366 attacks have been claimed by Medusa affiliates during its three-year run.
financial $260,000 period
"It is unknown if all these victims were targeted by North Korean operatives or if other Medusa affiliates were responsible for some of these attacks," the security sleuths said in a Tuesday report, noting that the ransom demand over the four-month period averaged $260,000.
Feb 24, 2026
Threat actors used Lazarus Group's Medusa ransomware to target major healthcare organizations in the United States.
2026-02-24
North Korea's Lazarus Group targets healthcare orgs with Medusa ransomware.
threat_actor Lazarus Group
North Korea's Lazarus Group targets healthcare orgs with Medusa ransomware.
 Ravie Lakshmanan  Feb 24, 2026 Threat Intelligence / Healthcare The North Korea-linked Lazarus Group (aka Diamond Sleet and Pompilus) has been observed using Medusa ransomware in an attack targeting an unnamed entity in the Middle East, according to a new report by the Symantec and Carbon Black Threat Hunter Team.
Lazarus Group Uses Medusa Ransomware in Middle East and U.S. Healthcare Attacks.
In a report  titled  ‘North Korean Lazarus Group Now Working With Medusa Ransomware,’ Symantec and Carbon Black said they uncovered evidence of North Korean actors  deploying  Medusa ransomware in an attack against a target in the Middle East.
" The Lazarus Group's Medusa ransomware campaign includes the use of various tools - RP_Proxy , a custom proxy utility Mimikatz , a publicly available credential dumping program Comebacker , a custom backdoor exclusively used by the threat actor InfoHook , an information stealer previously identified as used in conjunction with Comebacker BLINDINGCAN (aka AIRDRY or ZetaNile), a remote access trojan ChromeStealer , a tool for extracting stored passwords from the Chrome browser
North Korea’s Lazarus Group appears to have added another tool to its kit.
organisation U.S. Healthcare Attacks
Lazarus Group Uses Medusa Ransomware in Middle East and U.S. Healthcare Attacks.
organisation Lazaurs
While some cybercrime outfits claim to steer clear of targeting healthcare organizations due to the reputational damage it may attract, Lazaurs doesn’t seem to be in any way constrained."
organisation North Korean
In a report  titled  ‘North Korean Lazarus Group Now Working With Medusa Ransomware,’ Symantec and Carbon Black said they uncovered evidence of North Korean actors  deploying  Medusa ransomware in an attack against a target in the Middle East.
threat_actor Andariel
As far back as 2021, a Lazarus sub-cluster referred to as Andariel (aka Stonefly) was observed striking entities in South Korea, Japan, and the U.S. with bespoke ransomware families like SHATTEREDGLASS and Maui.
That said, Andariel is not alone in shifting from custom ransomware to an already available variant.
The activity has not been tied to any specific Lazarus sub-group, despite the fact that the extortion attacks mirror previous Andariel attacks.
organisation Comebacker
" The Lazarus Group's Medusa ransomware campaign includes the use of various tools - RP_Proxy , a custom proxy utility Mimikatz , a publicly available credential dumping program Comebacker , a custom backdoor exclusively used by the threat actor InfoHook , an information stealer previously identified as used in conjunction with Comebacker BLINDINGCAN (aka AIRDRY or ZetaNile), a remote access trojan ChromeStealer , a tool for extracting stored passwords from the Chrome browser
organisation ChromeStealer
" The Lazarus Group's Medusa ransomware campaign includes the use of various tools - RP_Proxy , a custom proxy utility Mimikatz , a publicly available credential dumping program Comebacker , a custom backdoor exclusively used by the threat actor InfoHook , an information stealer previously identified as used in conjunction with Comebacker BLINDINGCAN (aka AIRDRY or ZetaNile), a remote access trojan ChromeStealer , a tool for extracting stored passwords from the Chrome browser
financial $260,000 period
The average ransom demand in that period was $260,000."
Tactical Metrics
Metrics
victims
30
Victim Organizations
Of the nearly 30 victim organizations listed on the Medusa data-leak site since November 2025, four are healthcare and nonprofit organizations in the US, including a mental health nonprofit and an educational facility for autistic children.
Metrics
financial
260,000
Period
"It is unknown if all these victims were targeted by North Korean operatives or if other Medusa affiliates were responsible for some of these attacks," the security sleuths said in a Tuesday report, noting that the ransom demand over the four-month period averaged $260,000.
The average ransom demand in that period was $260,000."
Intelligence Sources
The Hacker News 2026-02-24
The Register - Cybercrime 2026-02-24
Data Breaches 2026-02-24