What happened
Researchers from Symantec and the Carbon Black Threat Hunter Team have observed the North Korea-linked Lazarus Group using Medusa ransomware in a confirmed attack on an unnamed organization in the Middle East and in an unsuccessful attempt against a U.S. healthcare provider.
Who is affected
The activity has impacted at least one Middle Eastern entity and has been associated with multiple U.S. healthcare and nonprofit organizations, including a mental health nonprofit and an educational facility, on the Medusa leak site since late 2025.
Why CISOs should care
This marks a notable escalation in North Korean cyber operations, with a state-linked actor adopting a commercial ransomware-as-a-service (RaaS) strain to conduct financially motivated extortion campaigns against critical sectors. The involvement of established tooling such as credential stealers and custom backdoors alongside Medusa highlights evolving TTPs that can evade traditional detection.
3 practical actions
- Strengthen ransomware defenses: Implement robust segmentation, offline backups, and tested incident response (IR) plans to minimize impact if ransomware strikes.
- Enhance visibility: Deploy advanced endpoint detection and response (EDR) and network monitoring to detect lateral movement and common ransomware behavior.
- Review vendor and threat intel feeds: Subscribe to threat intelligence sources and regularly update indicators of compromise (IOCs) related to Medusa and Lazarus-associated tools.