Key Findings

• The North Korea-linked Lazarus Group has been observed using the Medusa ransomware in attacks targeting an entity in the Middle East and an unsuccessful attempt against a healthcare organization in the U.S.

• Medusa is a ransomware-as-a-service (RaaS) operation launched by a cybercrime group known as Spearwing in 2023, with over 366 claimed attacks to date.

• The Lazarus Group's Medusa ransomware campaign involves the use of various tools, including RP_Proxy, Mimikatz, Comebacker, InfoHook, BLINDINGCAN, and ChromeStealer.

• The attacks have targeted organizations in the U.S. providing essential social services, such as a mental health non-profit and an educational facility for autistic children, with ransom demands averaging around $260,000.

Background

The Lazarus Group, also known as Diamond Sleet and Pompilus, is a notorious North Korea-linked threat actor group that has been active for over a decade. The group has a history of engaging in various cybercrime activities, including advanced persistent threat (APT) attacks, data breaches, and ransomware deployments.

Medusa Ransomware Deployment

According to a report by Symantec and the Carbon Black Threat Hunter Team, the Lazarus Group has been observed using the Medusa ransomware in attacks targeting an unnamed entity in the Middle East. The group also attempted an unsuccessful attack against a healthcare organization in the United States.

Medusa is a ransomware-as-a-service (RaaS) operation that was launched by a cybercrime group known as Spearwing in 2023. The Medusa ransomware has been linked to over 366 successful attacks to date.

Multi-Stage Attack Chain

The Lazarus Group's attacks with Medusa ransomware follow a multi-stage process. Before deploying the ransomware, the group uses specialized toolkits to dismantle local security protections, install custom backdoors and trojans, and collect credentials using tools like ChromeStealer and Mimikatz. The stolen data is then exfiltrated using RP_Proxy and Curl.

Targeting Vulnerable Institutions

The Lazarus Group's targeting patterns reveal a focus on organizations that provide essential social services, such as a mental health non-profit and an educational facility for autistic children in the U.S. The average ransom demand in these attacks is around $260,000, which is calculated to be high enough for a significant payday but low enough that a desperate organization might consider paying to restore services.

Expert Insights

Jason Soroko, a Senior Fellow at Sectigo, a provider of certificate lifecycle management solutions, notes that the Lazarus Group's choice of targets demonstrates a focus on generating maximum emotional leverage to ensure swift ransom payments. The relatively modest average ransom demand suggests a volume-based approach, where the threat actors target chronically underfunded sectors that cannot afford prolonged operational downtime.

Conclusion

The Lazarus Group's adoption of the Medusa ransomware represents a concerning shift in North Korea's cyber operations, as the state-backed group now joins forces with established cybercrime tools to bypass traditional security measures and generate direct financial gains. This trend highlights the blurring line between state-sponsored espionage and street-level extortion, requiring a rethink of how smaller non-profits and healthcare organizations protect their sensitive data.

Sources

• https://hackread.com/north-korean-lazarus-group-medusa-ransomware/

• https://thehackernews.com/2026/02/lazarus-group-uses-medusa-ransomware-in.html

• https://www.ctrlaltnod.com/news/north-koreas-lazarus-group-now-deploying-medusa-ransomware/

• https://www.linkedin.com/pulse/lazarus-hackers-adopt-medusa-ransomware-extortion-anna-ribeiro-spqqc