Full Report
New ransomware of choice, same critical targets North Korea’s Lazarus Group appears to have added another tool to its kit. It has begun using Medusa ransomware in extortion attacks targeting at least one US healthcare organization and an unnamed victim in the Middle East, according to Symantec and Carbon Black threat hunters.…
Analysis Summary
# Threat Actor: Lazarus Group
## Attribution & Identity
Lazarus Group is a North Korean state-sponsored umbrella organization responsible for offensive cyber operations.
**Known Aliases:** Andariel (aka Stonefly, Onyx Sleet, Silent Chollima). Andariel is identified as the cyber-arm of North Korea's military intelligence agency, the Reconnaissance General Bureau (RGB).
**Associations:** Associated with the spearwing cybercrime group (which runs Medusa RaaS).
## Activity Summary
Lazarus Group has recently begun using Medusa ransomware in extortion attacks. This marks a new variation in their usual toolkit. Recent activity tracked includes targeting at least one US healthcare organization (which failed) and an unnamed victim in the Middle East (which was successfully hit with Medusa). Since November 2025, approximately four US healthcare and nonprofit organizations (including a mental health nonprofit and an educational facility for autistic children) have been listed among nearly 30 victims on the Medusa data-leak site. Researchers state these recent Medusa attacks are "undoubtedly the work of Lazarus," noting the TTPs align with previous Stonefly attacks.
## Tactics, Techniques & Procedures
- Extortion attacks against the U.S. healthcare sector.
- Affiliates utilize Medusa ransomware variants and infrastructure (part of a Ransomware-as-a-Service model run by Spearwing).
- **Specific Tools Mentioned:** Comebacker backdoor/loader (exclusively associated with Lazarus), and Blindingcan RAT (associated with Lazarus).
## Targeting
- **Sectors:** Healthcare, Nonprofit, Mental Health, Autism Education, Medical, Education, Legal, Insurance, Technology, and Manufacturing (based on general Medusa affiliate history). The specific Lazarus-attributed attacks focused on **Healthcare**.
- **Geography:** United States and the Middle East.
- **Victims:** At least one US healthcare organization (attack failed) and an unnamed Middle Eastern organization (attack successful). Four total US healthcare/nonprofit victims have been listed on the Medusa site since Nov 2025.
## Tools & Infrastructure
- **Malware families used:** Medusa ransomware, Comebacker (custom backdoor/loader), Blindingcan (RAT).
- **Historical Malware Mentioned:** Previous Lazarus/Andariel activity included using Maze and Play ransomware.
- **Infrastructure:** Relies on the Medusa RaaS infrastructure managed by the Spearwing group. Specific C2s, domains, or IPs were not detailed in the summary, only specific malware indicators observed by researchers.
## Implications
The persistence of Lazarus Group activity, evidenced by their adoption of a new ransomware strain (Medusa), suggests North Korea's reliance on cybercrime, specifically extortion, continues unabated to generate revenue for the regime, despite international sanctions and previous arrests of group members. Their continued targeting of critical sectors like healthcare remains a significant threat.
## Mitigations
- Implement robust defenses against ransomware campaigns, specifically monitoring for indicators associated with the Comebacker backdoor and the Blindingcan RAT.
- Defend healthcare sector infrastructure against known Lazarus TTPs, which have previously included attacks on US hospitals and providers.
- Stay current with threat intelligence regarding the Medusa RaaS operation.