Close Menu
Cybercrime and Ransomware

Lazarus Hackers Use Medusa Ransomware to Target Healthcare and Nonprofits

Staff WriterBy No Comments4 Mins Read2 Views

Top Highlights

  1. North Korean Lazarus group, linked to the ransomware Medusa, is actively conducting extortion campaigns targeting U.S. healthcare and Middle Eastern entities despite previous U.S. indictments.
  2. The group employs a broad arsenal of tools—including Comebacker, Blindingcan, and ChromeStealer—indicating sophisticated, multi-faceted cyberattack capabilities.
  3. Recent attacks have involved deploying Medusa ransomware via a RaaS model, claiming over 366 victims with an average ransom of $260,000, and are attributed to the Lazarus subgroup Stonefly (Andariel).
  4. Despite previous sanctions and indictments, Lazarus continues targeting U.S. organizations, demonstrating persistent involvement in cybercrime and digital extortion, especially against vulnerable sectors like healthcare.

What’s the Problem?

A joint investigation by Symantec and Carbon Black uncovered that operators linked to the Lazarus hacker group, a North Korean cybercrime organization, are actively deploying Medusa ransomware in ongoing extortion campaigns. Despite previous U.S. indictments targeting the group, Lazarus continues its operations, targeting primarily healthcare and nonprofit organizations in the U.S. and the Middle East. The evidence reveals that these hackers use a variety of sophisticated tools, including custom backdoors and credential-stealing malware, to infiltrate targeted networks. For instance, recent victim claims report attacks on U.S. healthcare and nonprofit entities, with ransom demands averaging $260,000. These activities support the attribution to North Korea’s Lazarus group, which persists in mounting ransomware-driven extortion despite international sanctions and legal actions.

The report further notes that Lazarus, particularly its Stonefly sub-group, is motivated by funding espionage and other malicious activities. Notably, a North Korean individual involved in similar operations was indicted by the U.S. Justice Department in July 2025. Interestingly, even after these legal pressures, Lazarus remains relentless; they continue to target high-value sectors, showing no signs of restraint. This ongoing threat underscores how North Korea’s cybercriminal efforts, especially for financial gain, are deeply entrenched and operationally resilient. It highlights a concerning pattern of state-sponsored cybercrime that disregards the reputational or geopolitical risks, aiming instead to fund broader espionage and influence campaigns.

Potential Risks

The Lazarus hackers have recently adopted Medusa ransomware to launch extortion campaigns, and this threat can easily happen to your business too. If hackers target your organization, they can quickly lock your critical data, disrupting operations and hurting your reputation. Moreover, hospitals and nonprofits are especially vulnerable because they hold sensitive information and may lack the robust cybersecurity defenses needed to resist such attacks. As a result, your business could face severe financial losses, legal consequences, and long-term damage to trust and credibility. Therefore, understanding this threat and strengthening your security measures is crucial—because in today’s digital landscape, no organization is too small or too specialized to be targeted.

Possible Actions

Quick action is essential when dealing with Lazarus hackers deploying Medusa ransomware, as delays can lead to catastrophic data loss, financial damage, and compromised patient safety in healthcare and nonprofit sectors.

Containment Measures

  • Isolate infected systems immediately to prevent spread.
  • Disable remote access and network shares.

Detection and Analysis

  • Conduct thorough network and system scans to identify the scope of infection.
  • Use advanced endpoint detection tools for suspicious activity.

Eradication Processes

  • Remove malicious files and ransomware traces from affected devices.
  • Patch vulnerabilities that facilitated the attack.

Recovery Strategies

  • Restore data from secure, offline backups.
  • Reinstall or upgrade affected systems to ensure security.

Preventive Controls

  • Implement multi-factor authentication and strong access controls.
  • Keep all software and security patches current.
  • Enhance email security gateways to prevent phishing.

Monitoring and Reporting

  • Continuously monitor networks for unusual activity.
  • Report incidents to authorities and relevant stakeholders promptly.

Timely intervention minimizes damage, helps safeguard sensitive information, and accelerates the return to normal operations.

Explore More Security Insights

Stay informed on the latest Threat Intelligence and Cyberattacks.

Explore engineering-led approaches to digital security at IEEE Cybersecurity.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1cyberattack-v1-multisource

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.