Full Report
Anna Ribeiro reports: A joint investigation by the Symantec and Carbon Black Threat Hunter teams details evidence that operators linked to the Lazarus hacker group are deploying Medusa ransomware in ongoing extortion campaigns targeting the U.S. healthcare sector and a Middle East entity, indicating the North Korean threat cluster continues ransomware-driven extortion campaigns despite prior U.S. indictments.... Source
Analysis Summary
# Threat Actor: Lazarus Group (Associated with Medusa Ransomware)
## Attribution & Identity
**Attribution:** Linked to the Lazarus hacker group, identified as a North Korean threat cluster.
**Aliases/Associations:** Associated with the deployment of Medusa ransomware. Evidence of Lazarus-associated tooling was observed in intrusions.
## Activity Summary
Lazarus operators are deploying Medusa ransomware in ongoing extortion campaigns. This activity is noted despite prior U.S. indictments against the group. Recent activities documented include:
* An attack against a target in the Middle East.
* An attempted, but failed, breach against a U.S. healthcare organization.
* Victim claims involving healthcare and nonprofit organizations generally.
## Tactics, Techniques & Procedures
- Deployment or use of **Medusa ransomware**.
- Use of **Lazarus-associated tooling** observed during intrusions.
- **Extortion campaigns** utilizing ransomware.
* *MITRE ATT&CK IDs were not specified in the provided source.*
## Targeting
**Sectors:**
- U.S. Healthcare Sector
- Nonprofit organizations
- Unspecified organization in the Middle East (successful hit)
- U.S. Healthcare entity (failed attempt)
**Geography:**
- United States
- Middle East
**Victims:**
- Healthcare organizations
- Nonprofit organizations
## Tools & Infrastructure
**Malware Families Used:**
- Medusa ransomware
**Infrastructure (C2, domains, IPs):**
- *No specific infrastructure details (IPs, domains, C2s) were mentioned in the source text.*
## Implications
The continued use of ransomware (specifically Medusa) by state-sponsored actors like Lazarus against critical sectors like U.S. healthcare, even after international indictments, suggests a high level of operational resilience and a sustained focus by North Korea on disruption and financial gain through cyber extortion.
## Mitigations
- Harden defenses against ransomware families like Medusa.
- Review and enhance security controls protecting U.S. healthcare and nonprofit environments, as these remain high-value targets.
- Monitor networks for the presence of tooling associated with the Lazarus group.