North Korean state-backed Lazarus operators are using the Medusa RaaS to carry out extortion attacks against U.S. healthcare and non-profit organizations, with Symantec attributing the activity to a Lazarus subgroup possibly linked to Andariel/Stonefly. The campaigns use a mix of custom and commodity tools and funnel stolen funds to support espionage against defense, technology, and government targets. #Medusa #Lazarus
Keypoints
- Symantec links a Lazarus subgroup—possibly Andariel/Stonefly—to recent Medusa ransomware extortion attacks against U.S. healthcare providers.
- Medusa RaaS has been active since January 2021 and impacted over 300 organizations by February 2025, with at least 80 additional claimed victims since.
- Attackers used both custom and commodity tools such as Comebacker, Blindingcan, ChromeStealer, Infohook, Mimikatz, RP_Proxy, and curl.
- Medusa’s data leak site lists multiple U.S. healthcare and non-profit victims, including an educational facility for autistic children.
- Ransom demands reach up to $15 million (average around $260,000), and stolen funds are used to support espionage against U.S., Taiwan, and South Korea targets.