North Korean state-backed hackers linked to the Lazarus Group are targeting US healthcare organizations in a wave of extortion attacks leveraging the Medusa ransomware, according to research from the Symantec and Carbon Black threat hunting teams.
The Medusa ransomware-as-a-service operation first emerged in January 2021, and by February 2025, it had impacted more than 300 organizations across critical infrastructure sectors. Ransom demands have reached as high as $15 million, though researchers estimate the average payment to be closer to $260,000.
Researchers believe the activity may be linked to Andariel aka Stonefly, a subgroup operating under the Lazarus umbrella. The toolset observed in the recent healthcare attacks also shows overlap with infrastructure and malware previously attributed to Diamond Sleet, another North Korean threat group more commonly known for targeting media, defense, and IT sectors.
The attackers deployed a mix of custom and publicly available tools, including Comebacker, a backdoor previously linked to Diamond Sleet; Blindingcan, a remote access trojan; ChromeStealer and Infohook credential theft utilities; the well-known credential dumping tool Mimikatz; a custom proxy tool RP_Proxy; and the data transfer utility Curl.
While not all Medusa incidents can be definitively attributed to Lazarus actors, the researchers warn that North Korean groups are increasingly engaging in financially motivated ransomware campaigns. Funds generated through such operations are believed to support broader espionage efforts targeting defense, technology, and government entities in the United States, Taiwan, and South Korea.
Symantec has released a set of indicators of compromise, including network infrastructure details and malware hashes, to help organizations detect and defend against ongoing activity.