Lazarus Hackers Turn Medusa Ransomware on U.S. Healthcare Organizations

State-backed operators blur the line between espionage and cybercrime.

United States: Healthcare in the Crosshairs

Security researchers report that North Korean state-linked actors associated with the Lazarus Group are targeting U.S. healthcare providers using Medusa ransomware.

This marks the first confirmed association between Lazarus-linked operators and the Medusa ransomware-as-a-service (RaaS) ecosystem.

From Espionage to Extortion

According to researchers at Symantec, a Lazarus subgroup, possibly linked to Andariel (also tracked as Stonefly), is deploying Medusa in financially motivated campaigns.

Historically, North Korean actors relied on ransomware strains such as Maui and HolyGhost. However, the adoption of Medusa suggests a shift toward outsourcing encryption operations while maintaining strategic objectives.

By February 2025, Medusa had impacted over 300 organizations across critical infrastructure sectors. Since then, the group has added at least 80 more victims to its data leak site.

Healthcare Not Off Limits

While some ransomware gangs avoid hospitals to reduce backlash, researchers say Lazarus appears unconstrained.

Recent Medusa listings include multiple healthcare and nonprofit victims in the United States, including an educational facility serving autistic children.

Symantec emphasized that not all Medusa attacks can be definitively attributed to Lazarus. However, overlapping tools and infrastructure strongly suggest North Korean involvement in specific cases.

The Toolset Behind the Attacks

Investigators observed both custom and commodity utilities in these campaigns, including:

• Comebacker (linked to Diamond Sleet operations)
• Blindingcan remote access trojan
• ChromeStealer credential extractor
• Infohook information stealer
• Mimikatz credential dumping tool
• RP_Proxy custom proxy utility
• Curl for data exfiltration

The presence of tools associated with Diamond Sleet strengthens attribution indicators.

Financial Motive With Strategic Consequences

Medusa ransom demands can reach $15 million. However, researchers estimate the average payment hovers around $260,000.

Funds generated from cybercrime often support broader espionage campaigns targeting defense, government, and technology sectors in the United States, Taiwan, and South Korea.

Therefore, financially motivated ransomware may indirectly fuel state-sponsored intelligence operations.

Strategic Implications

The convergence of state-backed espionage and ransomware-for-profit operations signals a dangerous evolution.

Healthcare systems remain especially vulnerable due to:

• Legacy infrastructure
• Operational urgency
• Sensitive patient data
• Limited downtime tolerance

As geopolitical tensions persist, no critical sector appears immune.