INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

Medusa Ransomware Exploits Vulnerabilities

| 2026-02-24 21:18 CRITICAL LOW
JSON
Executive Summary AI-generated
The Lazarus Group, a notorious North Korean threat actor, has been linked to multiple high-profile cyberattacks targeting healthcare organizations. These attacks have demonstrated the group's penchant for critical infrastructure hits, most notably in the sector of healthcare entities. Unlike nation-state advanced persistent threat groups, which often employ financially motivated attacks on various sectors, including energy and cryptocurrency exchanges, Lazarus Group has historically engaged in conventional cybercrime with motivation from financial gain. The recent Medusa ransomware attack on an organization in the Middle East is a prime example of this trend, as it highlights the group's ability to adapt its tactics while maintaining operational flexibility.
Technical Mitigations AI-generated
* Implement EDR (Endpoint Detection and Response) blockers: To prevent vulnerable drivers from being used by ransomware gangs, organizations should block endpoint detection and response (EDR) killers that rely on these drivers. * Monitor for privilege escalation attempts: Regularly monitor systems for signs of privilege escalation attempts, which attackers may use to introduce malware into targeted systems. This can be done using tools like privilege monitoring software or by implementing a least-privilege access model. * Use BYOVD (Bring-your-own-vulnerable-driver) defenses: Implementing BYOVD techniques can help prevent ransomware gangs from exploiting vulnerable drivers used in their attacks. Organizations should monitor for signs of this tactic and take steps to block it if necessary. * Regularly update and patch operating systems and software: Keeping operating systems, applications, and firmware up-to-date with the latest security patches is crucial in preventing exploitation by ransomware gangs. * Implement a robust incident response plan: Having an incident response plan in place can help organizations respond quickly to ransomware attacks. This should include procedures for containing and eradicating malware, as well as communication protocols with affected parties.
Technical Observables
Next.js
AI Podcast (EN) detail_available
detail_listen_ai (EN)
Intelligence distributed on:
Incident Link
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Lazarus GroupLazarus GroupAndarielAndariel CarbonCarbonMedusa RansomwareMedusa Ransomware
Target & Sectors
DPRK DPRK MIDDLE_EAST MIDDLE_EAST NORTH_AMERICA NORTH_AMERICA healthcarehealthcare defensedefense governmentgovernment healthhealth energyenergy technologytechnology
Incident Timeline
October 2024
Threat actors used Medusa ransomware against three US organizations in October 2024.
tactic Ransomware
Yet subsequent investigations found continued intrusion attempts against three US organizations in October 2024, even though ransomware was not deployed.
target_region United States
Yet subsequent investigations found continued intrusion attempts against three US organizations in October 2024, even though ransomware was not deployed.
July 2025
Stonefly began targeting financial institutions with Medusa ransomware in July 2025.
tactic Espionage
Once considered focused solely on espionage, Stonefly's involvement in financially motivated attacks became public in July 2025.
early November 2025
Threat actors used Medusa ransomware to target four US healthcare and non-profit organizations.
source_region United States
Analysis of Medusa's leak site indicated that four US healthcare and non-profit organizations have been listed as victims since early November 2025.
industry Healthcare
Analysis of Medusa's leak site indicated that four US healthcare and non-profit organizations have been listed as victims since early November 2025.
2026-02-24
The Lazarus Group, a North Korean state-sponsored hacking group, has adopted the Medusa ransomware-as-a-service (RaaS) platform.
threat_actor Lazarus Group
Lazarus Group actors also attempted an unsuccessful attack on a US healthcare organization.
Lazarus Group Picks a New Poison: Medusa Ransomware.
Partnering with Medusa, therefore, makes sense for Lazarus Group, given its history of ransomware and extortion attacks.
Lazarus Group's embrace of Medusa shows the Democratic People's Republic of Korea's (DPRK)
Which Lazarus Group Unit Was Behind the Attacks?
In addition to the Comebacker malware, the Carbon Black's threat hunter team found evidence of other malware and hacking tools frequented by the Lazarus Group in the two attacks.
North Korean Lazarus Group Expands Ransomware Activity With Medusa.
organisation the US Justice Department
At that time, the US Justice Department indicted Rim Jong Hyok, an alleged Stonefly member, for his role in ransomware campaigns targeting US hospitals and healthcare providers.
organisation Lazaurs
"While some cybercrime outfits claim to steer clear of targeting healthcare organizations due to the reputational damage it may attract, Lazaurs doesn't seem to be in any way constrained."
organisation DPRK
Lazarus Group's embrace of Medusa shows the Democratic People's Republic of Korea's (DPRK)
organisation the Democratic People's Republic of Korea's
Lazarus Group's embrace of Medusa shows the Democratic People's Republic of Korea's (DPRK)
organisation North Korean
North Korean Lazarus Group Expands Ransomware Activity With Medusa.
organisation Singapore &
Related: Singapore & Its 4 Major Telcos Fend Off Chinese Hackers The threat hunter team's report included indicators of compromise from the two attacks, such as malicious file indicators, IP addresses, and URLs.
organisation IP
Related: Singapore & Its 4 Major Telcos Fend Off Chinese Hackers The threat hunter team's report included indicators of compromise from the two attacks, such as malicious file indicators, IP addresses, and URLs.
organisation APT
Unlike most nation-state advanced persistent threat (APT) groups, Lazarus has long been involved in conventional cybercrime with financially motivated attacks on everything from energy sector organizations to cryptocurrency exchanges .
organisation Ransomware
Related: Malicious Next.js Repos Target Developers Via Fake Job Interviews Just the Ransomware, Please
organisation EDR
The ransomware gang has embraced the bring-your-own-vulnerable-driver (BYOVD) technique, deploying endpoint detection and response (EDR) killers to disable enterprise security defenses.
organisation BYOVD
Still, BYOVD has become an increasingly popular tactic among ransomware gangs , and security teams should prepare for such threats.
organisation Spearwing
Use of Medusa Ransomware Grows  Medusa, operated by the Spearwing cybercrime group, emerged in 2023 as a ransomware-as-a-service (RaaS) platform.
threat_actor Andariel
The Stonefly sub-group , also known as Andariel, has played a central role in ransomware operations over the past five years.
organisation Reconnaissance General Bureau
He is said to be affiliated with North Korea's Reconnaissance General Bureau (RGB).
organisation RGB
He is said to be affiliated with North Korea's Reconnaissance General Bureau (RGB).
organisation The Larazus Group
The Larazus Group has a new partner in crime.
organisation Comebacker
The researchers noted that while the Medusa attacks featured tactics, techniques, and procedures (TTPs) associated with a Lazarus sub-group known as a Stonefly , the additional malware used by the threat actors, including a backdoor known as Comebacker, were previously tied to a different group tracked as Diamond Sleet .
organisation Infohook
This includes Blindingcan, a remote access Trojan (RAT) tied to Lazarus, and an infostealer known as Infohook.
organisation Affiliates
Affiliates deploy the malware in exchange for a share of ransom payments.
organisation Tools Used In
Tools Used In Recent Campaigns In the new advisory, researchers identified a range of malware and utilities linked to the attacks: While the tactics resemble previous Stonefly operations, the analysts cautioned that the tools are not exclusive to one sub-group.
financial $10 $ reward
Authorities also announced a $10m reward for information related to him.
Tactical Metrics
Metrics
financial
10,000,000
$ Reward
Authorities also announced a $10m reward for information related to him.
Intelligence Sources
Dark Reading 2026-02-24
Infosecurity-Magazine 2026-02-24