Threat Management, Threat Intelligence, Ransomware, Malware, Identity, Decentralized identity and verifiable credentials, Government security

North Korea’s Lazarus Group targets US, Middle East healthcare sectors

Korea North flag - 3D realistic waving flag on matrix digital ba

The North Korean Lazarus Group is using Medusa ransomware to mount attacks on healthcare facilities in the U.S. and Middle East, the Symantec and Carbon Black Threat Hunter team reported.

In a blog post Feb. 24, the Symantec and Carbon Black researchers said analysis of the Medusa leak site showed attacks against four healthcare and non-profit organizations in the U.S. since the beginning of November 2025.

Victims included a non-profit in the mental health sector and an educational facility for autistic children. The attackers used a broad range of tools, including Comebacker — a custom backdoor and loader exclusively associated with Lazarus — Blindingcan — a remote access trojan tied to Lazarus — and Mimikatz — a publicly available credential dumping tool.

The researchers said it’s still not clear if all the recent victims were targeted by North Korean operatives, or if other Medusa affiliates were responsible for some of the attacks. The average ransom demand in the period since November 2025 was $260,000, said the researchers, who also pointed out that more than 366 attacks have been claimed by threat actors using Medusa.


Related reading:


“Ransomware attacks on healthcare are not new,” said Sunil Gottumukkala, chief executive officer at Averlon. “The Change Healthcare and Ascension Health breaches are just two prominent examples among many. What's notable here is that even a sophisticated nation-state actor like Lazarus is choosing off-the-shelf ransomware-as-a-service over custom tooling.”

While the industry narrative has been fixated on AI-orchestrated end-to-end attacks, threat actors are consistently taking the path of least resistance: commodity ransomware, credential harvesting, and known attack playbooks, explained Gottumukkala. For defenders, the lesson remains the same: Strong credentials, reduced attack surface, and rapid patching of exposed systems remain the highest-leverage investments you can make, said Gottumukkala.

Jacob Krell, senior director at Suzu Labs, added that the Lazarus Group's use of Medusa ransomware represents a clear signal that nation-state backed cybercrime has fully industrialized.

“State actors are no longer building every tool from scratch,” said Krell. “They are acquiring capabilities off-the-shelf, the same way any business scales operations. Defenders have to plan for adversaries that can scale faster than traditional security programs can. The geopolitical dimension here is important and often underweighted in risk planning. Stolen ransomware proceeds fund North Korean espionage operations targeting U.S. defense, government, and technology sectors.”

Mimikatz still effective years later

Craig Birch, technology evangelist and principal security engineer at Cayosoft, said while organizations and headlines are fixated on AI‑driven attacks, Lazarus has showed that ransomware groups don’t need anything fancy to be effective.

“Medusa has already been tied to multiple healthcare ransomware incidents, and attackers know identity is the fastest way in,” said Birch. “The fact that a nearly 20‑year‑old tool like Mimikatz is still effective underscores a hard truth: poor identity hygiene continues to leave healthcare organizations dangerously exposed."

Jason Soroko, senior fellow at Sectigo, added that striking facilities dedicated to mental health and autistic children demonstrates that these actors prioritize maximum emotional leverage to ensure swift ransom payments.

“The relatively modest average ransom demand suggests a volume-based approach where threat actors target chronically underfunded sectors that simply cannot afford prolonged operational downtime,” said Soroko. “Network defenders must recognize that foreign adversaries are no longer solely hunting major enterprises and are actively exploiting the softest targets in the American healthcare ecosystem.”

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds