North Korea–Linked Lazarus Group Deploys Medusa Ransomware in Targeted Healthcare and Nonprofit Extortion Campaigns

CyberDefender 7 mins0

In early 2026, new threat analysis revealed that the North Korean state-linked Lazarus cyber-espionage and cybercrime organization has pivoted to using Medusa ransomware as part of ongoing digital extortion campaigns targeting high-value sectors such as healthcare and nonprofit organizations.

Background: Lazarus and Medusa

Lazarus Group is a widely tracked North Korean cyber threat cluster associated with the country’s Reconnaissance General Bureau (RGB). It has historically conducted espionage, financial theft, and disruptive operations against both government and private sector networks.

Medusa ransomware is a Ransomware-as-a-Service (RaaS) strain first identified in 2021. Operated by a cybercrime collective often tracked under varying names (including Spearwing or Frozen Spider depending on source), Medusa has become one of the more prolific ransomware families. It leverages double extortion, where data is both encrypted and exfiltrated, and victims are threatened with public release of sensitive information if a ransom is not paid.

Recent Targeting and Attribution

A joint investigation by threat research teams (Symantec and Carbon Black) uncovered evidence that Lazarus actors deployed Medusa ransomware in at least one attack on an entity in the Middle East and attempted additional intrusions against U.S. healthcare organizations.

Analysis of the Medusa leak site — where ransomware operators commonly publish victim data and ransom demands — showed multiple attacks against U.S. healthcare and non-profit organizations during late 2025. These victims included entities in mental health and special-education sectors, with average ransom demands in the range of approximately $260,000 USD.

The attribution to Lazarus is made with high confidence, based on overlapping infrastructure, response investigations, and linkages to previously identified Lazarus sub-groups such as Stonefly (also known as Andariel). Stonefly had been involved in past ransomware attacks, including campaigns against U.S. hospitals that led to a U.S. Department of Justice indictment.

Technical Toolset and Malware Components

In these campaigns, Lazarus has not solely relied on Medusa’s core binary. Analysis indicates the involvement of a broader attack toolset, including:

  • Comebacker — a custom Lazarus backdoor and loader
  • Blindingcan — a remote access Trojan (RAT)
  • ChromeStealer — credential theft module for extracting stored credentials from browsers
  • Mimikatz — widely known credential dumping tool
  • RP_Proxy and other supporting utilities

The combination of Medusa ransomware with these tools indicates a multi-stage intrusion approach: initial access, credential compromise, lateral movement, and final ransomware deployment.

Medusa Ransomware Characteristics

Medusa ransomware’s techniques align with modern ransomware practices documented by cybersecurity agencies and industry researchers:

  • RaaS model — Affiliates deploy the ransomware in exchange for revenue sharing.
  • Double extortion — Data is exfiltrated before encryption, increasing leverage over victims.
  • Leak site operations — Public exposure of victims’ data to coerce payment.
  • Initial access brokers (IABs) — Medusa often leverages third-party access services to gain footholds.
  • Use of legitimate tools — Living off the land, PowerShell execution, and Windows Management Instrumentation are observed components in attack chains.

Tactics, Techniques, and Procedures (TTPs)

Medusa’s operational TTPs have been catalogued in MITRE ATT&CK and include:

  • Credential access and dumping
  • Remote service exploitation
  • Termination of defensive services
  • File encryption and data destruction
  • Inhibition of system recovery mechanisms (e.g., shadow copy deletion)

These actions enable Medusa to maximize impact while minimizing recovery options for defenders.

Operational Implications

The use of Medusa by a state-linked actor like Lazarus demonstrates the blurring of lines between traditional cybercrime and state-sponsored operations. Rather than solely relying on custom malware, Lazarus appears to be incorporating widely available ransomware tools into financially motivated extortion schemes that simultaneously fund further espionage and disruptive activities.

This cross-pollination increases the operational footprint of Medusa ransomware — with more sophisticated infrastructure and potentially harder-to-attribute attacks.

Defensive Considerations

Organizations should consider the following measures to harden environments against Medusa-style intrusions and ransomware deployments:

  • Regular patching and vulnerability management to mitigate initial access vectors.
  • Network segmentation to restrict lateral movement.
  • Multi-factor authentication (MFA) and strong credential hygiene.
  • Endpoint monitoring and anomaly detection for early compromise indicators.
  • Frequent, immutable backups stored offline to expedite recovery without ransom.

Conclusion

The adoption of Medusa ransomware by Lazarus underscores an evolving ransomware threat landscape, where state-linked actors leverage commercialized extortion tools to broaden their capabilities. Security teams must continually adapt defensive postures to address not just commodity ransomware gangs but also sophisticated actors combining espionage and financial extortion vectors.

CyberDefender