TL/DR –
North Korean hackers linked to the Lazarus threat group are using the Medusa ransomware in cyberattacks against U.S. healthcare organizations. The Medusa ransomware entered operation in January 2021 and had impacted over 300 organizations in critical infrastructure sectors by February 2025. These attacks involve a toolset associated with Diamond Sleet, another North Korean group, and the tools used include a Diamond Sleet-linked backdoor/loader, a remote access trojan, a Chrome credential extractor, an information stealer, a credential dumping tool, a custom proxy tool, and a data transfer tool.
North Korean Lazarus Group Accused of Medusa Ransomware Attacks on U.S. Healthcare
North Korean state-backed hackers, believed to be part of the Lazarus group, are reportedly targeting U.S. healthcare organizations with the Medusa ransomware in a series of extortion attacks. The Medusa ransomware-as-a-service (RaaS) started in January 2021, and by February 2025, it had hit over 300 organizations in various infrastructure sectors. Post that, the group claimed another 80 victims.
While North Korean cybercriminals have been linked to ransomware strains such as HolyGhost, PLAY, Maui, Qilin, and others, this is the first evidence associating them with Medusa.
Enterprise cybersecurity company Symantec believes that a Lazarus subgroup, possibly Andariel/Stonefly, is using Medusa to target U.S. healthcare providers for financial gain. The tools used in these attacks also show connections to Diamond Sleet, another North Korean group known for targeting media, defense, and IT industries.
The Medusa ransomware attacks utilize several common utilities including Comebacker, Blindingcan, ChromeStealer, Infohook, Mimikatz, RP_Proxy, and Curl. Symantec researchers suggest that North Korean hackers are continuously involved in cybercrime for financial gain, with no sector being off-limits.
While not all Medusa attacks can be attributed to Lazarus, the group is known to demand ransoms as large as $15 million. Stolen funds are utilized to support espionage operations against entities in the defense, technology, and government sectors in the U.S., Taiwan, and South Korea. Symantec has shared indicators of compromise (IoCs) in its report, which include data on network infrastructure and malware hashes.
—
Read More Health & Wellness News ; US News