Full Report
North Korean attackers continuing to mount extortion attacks against the U.S. healthcare sector despite indictment.
Analysis Summary
# Threat Actor: Lazarus Group
## Attribution & Identity
* **Actor Name:** Lazarus Group
* **Sub-groups/Aliases:**
* **Stonefly** (also known as Andariel)
* **Pompilus** (also known as Diamond Sleet)
* **Affiliations:** Linked to the North Korean military intelligence agency, the **Reconnaissance General Bureau (RGB)**.
* **Key Figure:** Rim Jong Hyok (indicted member of Stonefly/Andariel).
## Activity Summary
The actor is currently engaged in financially motivated ransomware and extortion campaigns. While traditionally focused on espionage, sub-groups like Stonefly have pivoted to ransomware-as-a-service (RaaS) models to fund state-backed intelligence operations. Recent activity includes:
* Use of **Medusa ransomware** (operated by Spearwing) in attacks in the Middle East and unsuccessfully against a U.S. healthcare target.
* Collaboration with the **Play ransomware** group (noted in October 2024).
* Continued targeting of U.S. hospitals despite high-profile indictments and multimillion-dollar bounties.
## Tactics, Techniques & Procedures
* **Ransomware-as-a-Service (RaaS) Collaboration:** Acting as affiliates for established cybercrime brands (Medusa, Play) to deploy encryption and manage leaks.
* **Financial Extortion:** Mounting double-extortion attacks where data is stolen and encrypted to demand payments.
* **Credential Theft:** Scraping browser data and dumping memory to escalate privileges.
* **Proxying/Tunneling:** Using custom tools to mask traffic and maintain persistence.
* **Self-Funding:** Using proceeds from ransomware to finance separate espionage campaigns against defense and technology sectors.
## Targeting
* **Sectors:** Healthcare (primary), Non-profit (Mental Health), Education (Special Needs), Defense, Technology, and Government.
* **Geography:** United States, Taiwan, South Korea, and the Middle East.
* **Victims:** Specifically mentioned:
* U.S. Mental health sector non-profit.
* U.S. Educational facility for autistic children.
* Private companies in the U.S. with no intelligence value.
## Tools & Infrastructure
### Malware & Tools
* **Medusa:** Ransomware-as-a-Service strain.
* **Maui & Play:** Previous ransomware families associated with the group.
* **Blindingcan:** Remote Access Trojan (RAT).
* **Comebacker:** Custom backdoor/loader.
* **ChromeStealer:** Password extraction tool for Chrome.
* **Infohook:** Info-stealing malware.
* **Mimikatz:** Credential dumping tool.
* **RP_Proxy:** Custom proxying software.
* **Curl:** Open-source data transfer tool.
### Infrastructure
* **IP Addresses:**
* 23.27.140[.]49
* 23.27.140[.]135
* 23.27.140[.]228
* 23.27.124[.]228
* **Domains:**
* amazonfiso[.]com
* human-check[.]com
* illycoffee[.]my
* illycafe[.]my
* markethubuk[.]com
* sictradingc[.]com
* trustpdfs[.]com
* zypras[.]com
## Implications
Lazarus Group demonstrates a total lack of "cybercriminal ethics," specifically targeting vulnerable healthcare and non-profit sectors (e.g., mental health and autism services) that many traditional ransomware groups avoid. The primary strategic threat is the "dual-threat" model: North Korea uses ransomware not just for wealth, but as a direct revenue stream to fund sophisticated espionage operations against global defense and government targets.
## Mitigations
* **Credential Protection:** Implement robust multi-factor authentication (MFA) to mitigate tools like Mimikatz or ChromeStealer.
* **Endpoint Monitoring:** Monitor for unauthorized use of legitimate tools like `curl` and the deployment of custom loaders like Comebacker.
* **Network Defense:** Block known C2 domains and monitor for suspicious proxy traffic (RP_Proxy).
* **Sector-Specific Vigilance:** Healthcare and educational organizations should prioritize ransomware readiness, focusing on offline backups and incident response plans tailored to double-extortion scenarios.