North Korean Hackers Using Medusa Ransomware in Attacks on U.S. Healthcare Sector
North Korean state-sponsored hackers are targeting U.S. healthcare organizations and non-profits and deploying Medusa ransomware, according to a joint investigation by Symantec and the Carbon Black Threat Hunter Team.
A wave of recent attacks has been linked to the Lazarus Group, an umbrella term covering multiple cyber threat actors linked to the Reconnaissance General Bureau (RGB) of the North Korean government. The Lazarus Group engages in attacks for espionage purposes, as well as disruptive and destructive attacks on targets primarily in South Korea, but also engages in financially motivated campaigns, often targeting organizations in the United States.
Medusa emerged in 2023 as a ransomware-as-a-service (RaaS) operation, which is believed to be run by a cybercrime group called Spearwing. Affiliates are recruited to conduct attacks using the Medusa encryptor and infrastructure in exchange for a percentage of any ransom payments they generate. Medusa actors engage in double extortion, stealing and encrypting data. A ransom must be paid to obtain the decryption keys and to prevent the leaking or sale of stolen data. Medusa often auctions off stolen data if the ransom is not paid, leaking data that has not been sold.
While North Korean state-sponsored hackers are known to have used Maui and Play ransomware in their financially motivated attacks, Symantec and Carbon Black Threat Hunter Team uncovered evidence that the Lazarus Group has started using Medusa in its ransomware campaigns. They identified an attack on a target in the Middle East, plus four attacks on healthcare organizations and non-profits in the United States since November 2025. U.S. victims include a non-profit mental health service provider and an educational facility for autistic children. Since November 2025, when the first Medusa ransomware attacks were attributed to the Lazarus Group, the average ransom demand is $260,000.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
A Lazarus subgroup known as Stonefly (aka Andrael) is believed to be one of the groups involved in the attacks. Stonefly has previously focused on espionage attacks on high-value targets; however, for the past five years, the group has engaged in ransomware attacks, often against hospitals and other healthcare providers. The U.S. Department of Justice has indicted a suspected member of the group, the North Korean Rim Jong Hyok, on charges related to ransomware attacks on U.S. healthcare providers. Rim is alleged to be linked to the RGB and, along with other members of the group, is thought to be involved in ransomware attacks to raise funds for the group’s espionage activities.
Symantec and the Carbon Black Threat Hunter Team have not been able to attribute the attacks to any specific subgroup of Lazarus, but have found sufficient evidence confirming that Lazarus is behind the attacks. Symantec and Carbon Black have tracked more than 366 ransomware attacks involving the Medusa encryptor, although the group has claimed attacks on more than 500 organizations, including more than 40 healthcare organizations. Symantec and Carbon Black have shared indicators of compromise (IoCs) associated with the attacks, along with the range of tools used by the Lazarus group in its current ransomware campaigns.
