Cybersecurity

Cyber: Lazarus Group Uses Medusa Ransomware In Middle East And U.s....

2026-02-24 0 views admin
Cyber: Lazarus Group Uses Medusa Ransomware In Middle East And U.s....

The North Korea-linked Lazarus Group (aka Diamond Sleet and Pompilus) has been observed using Medusa ransomware in an attack targeting an unnamed entity in the Middle East, according to a new report by the Symantec and Carbon Black Threat Hunter Team.

Broadcom's threat intelligence division said it also identified the same threat actors mounting an unsuccessful attack against a healthcare organization in the U.S. Medusa is a ransomware-as-a-service (RaaS) operation launched by a cybercrime group known as Spearwing in 2023. The group has claimed more than 366 attacks to date.

"Analysis of the Medusa leak site reveals attacks against four healthcare and non-profit organizations in the U.S. since the beginning of November 2025," the company said in a report shared with The Hacker News.

"Victims included a non-profit in the mental health sector and an educational facility for autistic children. It is unknown if all these victims were targeted by North Korean operatives or if other Medusa affiliates were responsible for some of these attacks. The average ransom demand in that period was $260,000."

The use of ransomware by North Korean hacking groups is not without precedent. As far back as 2021, a Lazarus sub-cluster referred to as Andariel (aka Stonefly) was observed striking entities in South Korea, Japan, and the U.S. with bespoke ransomware families like SHATTEREDGLASS, Maui, and H0lyGh0st.

Then, in October 2024, the hacking crew was also linked to a Play ransomware attack, marking the transition to an off-the-shelf locker to encrypt victim systems and demand a ransom.

That said, Andariel is not alone in shifting from custom ransomware to an already available variant. Last year, Bitdefender revealed that another North Korean threat actor tracked as Moonstone Sleet, which previously dropped a custom ransomware family called FakePenny, had likely targeted several South Korean financial firms with Qilin ransomware.

These changes possibly signal a tactical shift among North Korean hacking groups where they are operating as affiliates for established RaaS groups rather than developing their tools, the company told The Hacker News.

"The motivation is most likely pragmatism," Dick O'Brien, principal intelligence analyst for the Symantec and Carbon Black Threat Hunter Team, said. "Why go to the trouble of developing your own ransomware payload when you can use a tried-and-tested threat such as Medusa or Qilin? They may have decided that the benefits outweig

Source: The Hacker News

🏷️ Tags

hackransomwareattackthreat

More from Cybersecurity

Cyber: Phishing Campaign Targets Freight And Logistics Orgs In The Us, Europe

Cyber: Phishing Campaign Targets Freight And Logistics Orgs In The Us, Europe

2026-02-24 0
Cyber: Wynn Resorts Confirms Employee Data Breach After Extortion Threat

Cyber: Wynn Resorts Confirms Employee Data Breach After Extortion Threat

2026-02-24 0
Cyber: 1campaign Platform Helps Malicious Google Ads Evade Detection

Cyber: 1campaign Platform Helps Malicious Google Ads Evade Detection

2026-02-24 0
Cyber: New Attackers Now Need Just 29 Minutes To Own A Network 2026

Cyber: New Attackers Now Need Just 29 Minutes To Own A Network 2026

2026-02-24 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views