North Korean state-backed hackers associated with the Lazarus threat group are targeting U.S. healthcare organizations in extortion attacks using the Medusa ransomware.

The Medusa ransomware-as-a-service (RaaS) operation emerged in January 2021, and by February 2025, it impacted over 300 organizations in various critical infrastructure sectors. Since then, the gang claimed at least another 80 victims.

North Korean threat actors have previously been linked to other ransomware strains such as HolyGhost, PLAY, Maui, Qilin, as well as other malware families. However, this is the first time security researchers have associated the actor with Medusa.

In a report today, enterprise cybersecurity company Symantec says that a Lazarus subgroup, possibly Andariel/Stonefly, is now using Medusa in financially-motivated cyberattacks targeting U.S. healthcare providers.

According to the researchers, the toolset used in these attacks also shows some association with Diamond Sleet, another North Korean group that typically targets media, defense, and IT industries.

However, some of the utilities seen in the Medusa ransomware attacks are commodity tools:

• Comebacker – Diamond Sleet-linked backdoor/loader (seen used by Diamond Sleet)
• Blindingcan – Remote access trojan
• ChromeStealer – Chrome credential extractor
• Infohook – Information stealer
• Mimikatz – Credential dumping tool
• RP_Proxy – Custom proxy tool
• Curl – Data transfer tool

The researchers comment that no sectors are off-limits for North Korean hackers, who keep getting involved in cybercrime for financial gain.

“While some cybercrime outfits claim to steer clear of targeting healthcare organizations due to the reputational damage it may attract, Lazaurs doesn’t seem to be in any way constrained,” Symantec researchers say.

Medusa targeted multiple healthcare and non-profit organizations in the U.S., as the gang's data leak site lists four such victims since the beginning of November 2025, among them an educational facility for autistic children.

Not all these Medusa attacks can be confidently attributed to Lazarus hackers, though. Medusa can demand ransoms as large as $15 million, but Symantec researchers say that the average is around $260,000.

Stolen funds are used to support espionage operations against entities in the defense, technology, and government sectors in the U.S., Taiwan, and South Korea.

Symantec has provided a set of indicators of compromise (IoCs) in its report, which include network infrastructure data and hashes for the malware used in attacks.