North Korean Lazarus Group Targets U.S. Healthcare with Medusa Ransomware

North Korean state-backed hackers, known for their persistent cybercrimes, have expanded their arsenal with the Medusa ransomware, targeting the U.S. healthcare sector. Despite a high-profile indictment in 2025, the Lazarus Group, notably its Stonefly sub-group, shows no signs of slowing down. They have been tied to multiple ransomware attacks on healthcare organizations in the U.S. since November 2025, with ransom demands averaging $260,000.

Medusa, a ransomware-as-a-service operated by the Spearwing cybercrime group, was first identified in 2023 and has since been used in over 360 cyberattacks. Lazarus, using Medusa as a key tool in its ongoing extortion campaign, has focused on healthcare and non-profit organizations, including a mental health provider and an educational facility for autistic children.

This surge in attacks follows the indictment of Rim Jong Hyok, a suspected Lazarus operative, in 2025. The U.S. Justice Department accused him of orchestrating ransomware campaigns against American healthcare entities to fund North Korea’s espionage operations targeting defense and government sectors.

With North Korea’s cybercriminal activities escalating, the Lazarus Group continues to employ a variety of sophisticated malware tools, including Comebacker, Blindingcan, and Mimikatz, to breach systems and deploy ransomware. Although some cybercriminals avoid targeting healthcare providers due to reputational risks, Lazarus appears undeterred in its financial pursuits.

As these cyberattacks intensify, U.S. healthcare organizations must bolster their defenses to fend off future ransomware threats. The ongoing use of Medusa ransomware by North Korean actors highlights the growing sophistication and persistence of state-sponsored cybercrime campaigns.

Tools Used by Lazarus Group

For a full list of Indicators of Compromise (IOCs) related to the Lazarus Group’s ongoing attacks, please visit the source.