Cyber: North Korean Lazarus Group Linked To Medusa Ransomware Attacks

North Korean state-backed hackers associated with the Lazarus threat group are targeting U.S. healthcare organizations in extortion attacks using the Medusa ransomware.

The Medusa ransomware-as-a-service (RaaS) operation emerged in January 2021, and by February 2025, it impacted over 300 organizations in various critical infrastructure sectors. Since then, the gang claimed at least another 80 victims.

North Korean threat actors have previously been linked to other ransomware strains such as HolyGhost, PLAY, Maui, Qilin, as well as other malware families. However, this is the first time security researchers have associated the actor with Medusa.

In a report today, enterprise cybersecurity company Symantec says that a Lazarus subgroup, possibly Andariel/Stonefly, is now using Medusa in financially-motivated cyberattacks targeting U.S. healthcare providers.

According to the researchers, the toolset used in these attacks also shows some association with Diamond Sleet, another North Korean group that typically targets media, defense, and IT industries.

However, some of the utilities seen in the Medusa ransomware attacks are commodity tools:

The researchers comment that no sectors are off-limits for North Korean hackers, who keep getting involved in cybercrime for financial gain.

“While some cybercrime outfits claim to steer clear of targeting healthcare organizations due to the reputational damage it may attract, Lazaurs doesn’t seem to be in any way constrained,” Symantec researchers say.

Medusa targeted multiple healthcare and non-profit organizations in the U.S., as the gang's data leak site lists four such victims since the beginning of November 2025, among them an educational facility for autistic children.

Not all these Medusa attacks can be confidently attributed to Lazarus hackers, though. Medusa can demand ransoms as large as $15 million, but Symantec researchers say that the average is around $260,000.

Source: BleepingComputer