North Korea’s Lazarus Group targets healthcare orgs with Medusa ransomware
Summary
Security researchers from Symantec and Carbon Black report that North Korea’s state‑linked Lazarus Group has started using the Medusa ransomware strain in extortion campaigns. At least one attempted attack against a US healthcare organisation failed, while an unnamed Middle East victim was successfully hit. Researchers found Medusa victims listed since November 2025 include several healthcare and nonprofit organisations in the US; average ransom demands over a recent four‑month period were around $260,000.
The Medusa operation is a ransomware‑as‑a‑service (RaaS) run by the Spearwing group since 2023, with affiliates conducting hundreds of attacks against critical sectors. Indicators observed in the recent campaigns include Medusa ransomware artefacts, the Lazarus‑associated Comebacker backdoor, and the Blindingcan RAT. While tactics and targets resemble previous Lazarus (Andariel/Stonefly) activity, some tools are not exclusive to that subgroup.
Key Points
- Lazarus Group has begun employing Medusa ransomware in extortion attempts against healthcare organisations.
- One US healthcare attempt failed; at least one Middle East organisation was successfully compromised.
- Medusa is a RaaS operated by the Spearwing group since 2023; its leak site listed nearly 30 victims since Nov 2025, including four US healthcare/nonprofit organisations.
- Average ransom demands observed over a recent four‑month window were about $260,000.
- Security teams observed Medusa indicators plus Lazarus‑linked tools such as the Comebacker loader and Blindingcan RAT.
- The shift shows state‑linked cyber operators leveraging commercialised ransomware infrastructures to hit critical sectors and raise revenue for Pyongyang.
Author style
Punchy: this is not just another ransomware story — it shows a persistent, state‑backed actor using commercial RaaS to keep targeting vulnerable organisations, especially in healthcare.
Context and Relevance
Healthcare providers remain high‑value targets because outages and data exposure can cause immediate harm and raise pressure to pay. The trend of nation‑state actors (like Lazarus) using third‑party RaaS lowers technical barriers and complicates attribution — affiliates can reuse infrastructure while state groups supply bespoke loaders and RATs. The activity follows earlier sanctions and indictments tied to Lazarus subgroups, underscoring long‑running DPRK cybercrime aimed at fundraising.
For security teams, the key takeaways are to treat Medusa indicators and Lazarus‑linked artefacts as high priority, ensure robust backups and segmented networks, and prioritise detection of loaders/backdoors such as Comebacker and known RATs like Blindingcan.
Why should I read this?
Short version: if you run IT or security for a hospital, clinic or healthcare charity — pay attention. This isn’t random noise: a state‑linked group is mixing commercial ransomware with its own tools to hit exactly the places that cause the most disruption. We skimmed the technical report and boiled it down so you can act fast — patch, check for Comebacker/Blindingcan indicators, verify backups and review segmentation.