North Korean Lazarus Group Linked to Medusa Ransomware Attacks

The Medusa ransomware‑as‑a‑service platform emerged in early 2021 and quickly scaled to become one of the most prolific extortion tools in the cybercrime ecosystem. By February 2025 the operation had compromised more than 300 organizations across critical infrastructure, and subsequent reporting pushes that figure past 380 victims. Its business model mirrors other RaaS offerings: affiliates purchase encryption keys, deploy the payload, and split ransom proceeds with the developers. The malware’s flexibility—support for both Windows and Linux environments—and its integration with widely available post‑exploitation tools have made it attractive to a broad range of threat actors.

Symantec’s analysis confirms a Lazarus sub‑team, likely Andariel/Stonefly, behind recent Medusa attacks on U.S. healthcare providers. This blend of a nation‑state actor with a commercial ransomware service shows a shift toward profit‑driven operations that fund espionage. Ransom demands average $260,000, with some requests reaching $15 million, and proceeds support intelligence activities targeting defense, technology and government sectors in the United States, Taiwan and South Korea. The Medusa toolkit also includes components linked to the Diamond Sleet group, highlighting shared code among North Korean units.

The convergence of ransomware and state‑sponsored actors forces enterprises to treat these threats as a single, amplified risk. Healthcare firms must strengthen threat‑intelligence sharing, enforce strict network segmentation, and maintain immutable backups to survive double‑extortion campaigns. Regulators may tighten ransomware‑payment reporting, while insurers could raise premiums for organizations with confirmed nation‑state links. Continuous monitoring of IoCs and rapid incident response are now essential to protect patient data and prevent stolen ransom proceeds from fueling further espionage activities.