North Korean Hackers Deploy Medusa Ransomware in U.S. Healthcare Attacks
A joint investigation by Symantec and the Carbon Black Threat Hunter Team has revealed that North Korean state-sponsored hackers, specifically the Lazarus Group, are targeting U.S. healthcare organizations and non-profits with Medusa ransomware. The attacks, linked to the Reconnaissance General Bureau (RGB) of North Korea’s government, blend espionage with financially motivated cybercrime.
Medusa, a ransomware-as-a-service (RaaS) operation active since 2023, operates under a double-extortion model encrypting data and threatening to leak or auction stolen information if ransoms go unpaid. While Lazarus has previously used Maui and Play ransomware, recent evidence confirms its shift to Medusa in campaigns since November 2025. Victims include a non-profit mental health provider and an educational facility for autistic children, with average ransom demands reaching $260,000.
A Lazarus subgroup, Stonefly (aka Andariel), is suspected of involvement. The group, historically focused on espionage, has increasingly turned to ransomware attacks on healthcare targets over the past five years. The U.S. Department of Justice has indicted Rim Jong Hyok, a North Korean national allegedly tied to the RGB, for his role in these attacks, which are believed to fund broader espionage operations.
Symantec and Carbon Black have tracked 366 Medusa ransomware attacks, though the group claims over 500 victims, including more than 40 healthcare organizations. Indicators of compromise (IoCs) and tools used in the campaigns have been shared to aid detection. While attribution to a specific Lazarus subgroup remains unclear, the evidence firmly ties the attacks to the broader Lazarus collective.
Source: https://www.hipaajournal.com/north-korean-hackers-medusa-ransomware-healthcare/
ACES (Comprehensive Educational Services) cybersecurity rating report: https://www.rankiteo.com/company/aces-autism-comprehensive-educational-services-
Non Profit Mental Health Agency cybersecurity rating report: https://www.rankiteo.com/company/non-profit-mental-health-agency
"id": "ACENON1772051729",
"linkid": "aces-autism-comprehensive-educational-services-, non-profit-mental-health-agency",
"type": "Ransomware",
"date": "11/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Healthcare',
'location': 'U.S.',
'name': 'Non-profit mental health provider',
'type': 'Non-profit'},
{'industry': 'Education',
'location': 'U.S.',
'name': 'Educational facility for autistic children',
'type': 'Educational'}],
'data_breach': {'data_encryption': True,
'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High'},
'date_detected': '2025-11',
'description': 'A joint investigation by Symantec and the Carbon Black Threat '
'Hunter Team revealed that North Korean state-sponsored '
'hackers, specifically the Lazarus Group, are targeting U.S. '
'healthcare organizations and non-profits with Medusa '
'ransomware. The attacks blend espionage with financially '
'motivated cybercrime, linked to the Reconnaissance General '
'Bureau (RGB) of North Korea’s government.',
'impact': {'data_compromised': True, 'identity_theft_risk': True},
'investigation_status': 'Ongoing',
'motivation': ['Espionage', 'Financial Gain'],
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransom_demanded': '$260,000',
'ransomware_strain': 'Medusa'},
'references': [{'source': 'Symantec and Carbon Black Threat Hunter Team'}],
'regulatory_compliance': {'legal_actions': ['U.S. Department of Justice '
'indictment of Rim Jong Hyok']},
'response': {'third_party_assistance': ['Symantec',
'Carbon Black Threat Hunter Team']},
'threat_actor': ['Lazarus Group', 'Stonefly (Andariel)'],
'title': 'North Korean Hackers Deploy Medusa Ransomware in U.S. Healthcare '
'Attacks',
'type': 'Ransomware'}