The North Korean Lazarus Group is using Medusa ransomware to mount attacks on healthcare facilities in the U.S. and Middle East, the Symantec and Carbon Black Threat Hunter team reported.In a blog post Feb. 24, the Symantec and Carbon Black researchers said analysis of the Medusa leak site showed attacks against four healthcare and non-profit organizations in the U.S. since the beginning of November 2025.Victims included a non-profit in the mental health sector and an educational facility for autistic children. The attackers used a broad range of tools, including Comebacker — a custom backdoor and loader exclusively associated with Lazarus — Blindingcan — a remote access trojan tied to Lazarus — and Mimikatz — a publicly available credential dumping tool.The researchers said it’s still not clear if all the recent victims were targeted by North Korean operatives, or if other Medusa affiliates were responsible for some of the attacks. The average ransom demand in the period since November 2025 was $260,000, said the researchers, who also pointed out that more than 366 attacks have been claimed by threat actors using Medusa.
Related reading:
“Ransomware attacks on healthcare are not new,” said Sunil Gottumukkala, chief executive officer at Averlon. “The Change Healthcare and Ascension Health breaches are just two prominent examples among many. What's notable here is that even a sophisticated nation-state actor like Lazarus is choosing off-the-shelf ransomware-as-a-service over custom tooling.”While the industry narrative has been fixated on AI-orchestrated end-to-end attacks, threat actors are consistently taking the path of least resistance: commodity ransomware, credential harvesting, and known attack playbooks, explained Gottumukkala. For defenders, the lesson remains the same: Strong credentials, reduced attack surface, and rapid patching of exposed systems remain the highest-leverage investments you can make, said Gottumukkala.Jacob Krell, senior director at Suzu Labs, added that the Lazarus Group's use of Medusa ransomware represents a clear signal that nation-state backed cybercrime has fully industrialized.“State actors are no longer building every tool from scratch,” said Krell. “They are acquiring capabilities off-the-shelf, the same way any business scales operations. Defenders have to plan for adversaries that can scale faster than traditional security programs can. The geopolitical dimension here is important and often underweighted in risk planning. Stolen ransomware proceeds fund North Korean espionage operations targeting U.S. defense, government, and technology sectors.”
Threat Management, Threat Intelligence, Ransomware, Malware, Identity, Decentralized identity and verifiable credentials, Government security
North Korea’s Lazarus Group targets US, Middle East healthcare sectors

(Adobe Stock)
An In-Depth Guide to Ransomware
Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



