Lazarus Group Picks a New Poison: Medusa Ransomware
Summary
Symantec and Carbon Black threat hunters report that North Korea’s Lazarus Group deployed Medusa ransomware in a recent attack on a large organisation in the Middle East and attempted an unsuccessful strike on a US healthcare provider. Researchers found the Medusa payload alongside Lazarus-associated tooling: the Comebacker backdoor, Blindingcan RAT and the Infohook infostealer. The victims were not publicly identified and Carbon Black has not attributed the activity to a specific Lazarus sub-group.
Medusa has evolved since 2024 from a closed operation to a ransomware-as-a-service (RaaS) model and has a history of hitting critical infrastructure. Although Medusa operators often use bring-your-own-vulnerable-driver (BYOVD) techniques to disable EDRs, investigators did not observe vulnerable-driver deployment in these incidents. Symantec has published indicators of compromise and updated detections to block the observed behaviours.
Key Points
- Lazarus used Medusa ransomware in a confirmed attack on a Middle Eastern organisation and tried (unsuccessfully) against a US healthcare entity.
- Researchers observed Lazarus tools: Comebacker backdoor, Blindingcan RAT and Infohook infostealer alongside the Medusa payload.
- Medusa moved to a RaaS model in 2024 and has targeted hundreds of critical-infrastructure organisations.
- Carbon Black could not yet identify which Lazarus sub-group conducted the attacks; TTPs overlapped with known sub-groups like Stonefly and Diamond Sleet.
- No evidence was found of BYOVD/vulnerable-driver EDR-killer deployment in these incidents, though that technique remains a serious threat.
- Symantec/Broadcom published IOCs and behaviour-based signals; their products have been updated to detect and block the activity.
- Recommended defences include blocking known vulnerable drivers and monitoring for privilege-escalation attempts used to load malicious drivers.
Context and Relevance
This development shows how nation-state actors continue to blend state-directed objectives with pure cybercrime tooling. Lazarus’ adoption of Medusa — a widely used RaaS — underscores two trends: (1) DPRK-affiliated groups increasingly partner with or reuse criminal infrastructure for financial gain, and (2) RaaS families like Medusa remain favourites for hitting critical infrastructure and large organisations.
For security teams, the key takeaways are detection and readiness: update signatures/behavioural detections with vendor IOCs, review policies that allow driver installation, and monitor privilege escalation and lateral movement closely.
Why should I read this?
Short version: Lazarus has started using Medusa — so if you look after infrastructure, healthcare systems or large corporate networks, this matters. It’s not just another ransomware story; it’s a nation-state crew leaning on criminal RaaS to cash out. Read the details to check your IOCs and patch defences — we’ve done the slog so you don’t have to.
Author style
Punchy and to the point: this is a timely warning. If you manage security controls, treat the report as actionable intelligence — detections and IOCs are out now and should be applied immediately.