North Korean Hackers Deploy Medusa Ransomware in Targeted Attacks
Cybersecurity researchers at Symantec have identified North Korea’s Lazarus Group one of the country’s most advanced state-backed hacking units deploying Medusa ransomware in financially motivated attacks against a Middle Eastern company and a U.S. healthcare organization. The incidents mark the first documented use of Medusa by North Korean actors, who have previously relied on strains like Maui and Play.
Medusa operates under a ransomware-as-a-service (RaaS) model, allowing affiliates to launch attacks in exchange for a cut of ransom payments. Since emerging in 2023, the group has been linked to over 350 attacks, with ties to the broader cybercrime collective Spearwing. Symantec attributed the recent attacks to Lazarus due to the use of custom malware tools, including a backdoor, password extractor, and other exclusive Lazarus-developed software.
The shift to Medusa follows a pattern of North Korean hackers leveraging third-party ransomware rather than developing their own. Dick O’Brien, principal intelligence analyst at Symantec, noted that while Lazarus previously used self-developed ransomware like Maui, they now appear to favor RaaS platforms for efficiency. U.S. authorities first warned about North Korea’s use of Maui in 2022, citing attacks on hospitals and healthcare providers that disrupted medical services in multiple states, including Kansas and Colorado.
In 2024, the U.S. issued a federal arrest warrant for Rim Jong Hyok, an alleged member of the Andariel Unit a subgroup of Lazarus within North Korea’s Reconnaissance General Bureau (RGB). Rim was accused of orchestrating Maui ransomware attacks in 2021–2022, including one targeting a Kansas hospital. Investigations revealed that Rim and other Andariel operatives compromised five healthcare providers, four U.S. defense contractors, two Air Force bases, and NASA’s Office of Inspector General. Proceeds from the ransoms were allegedly used to fund further cyber espionage operations against U.S., South Korean, and Chinese targets. The U.S. State Department has offered a $10 million reward for information leading to Rim’s capture.
While Symantec could not definitively confirm Andariel’s involvement in the Medusa attacks, the group was linked to three additional financially motivated intrusions in October 2024, though no ransomware was successfully deployed. Separately, another cybersecurity firm reported North Korean actors using Play ransomware in recent attacks.
The incidents reflect a broader trend of nation-state hackers adopting ransomware for financial gain or operational cover. Over the past two years, groups from Russia, China, Iran, and North Korea traditionally focused on espionage have increasingly turned to ransomware to monetize cyber operations. Russian ransomware gangs, for example, openly supported Moscow during the Ukraine invasion, while Chinese and Iranian hackers have used ransomware as a smokescreen for espionage. The FBI has also documented Iranian actors collaborating with NoEscape, Ransomhouse, and AlphV affiliates to profit from ransom payments.
Source: https://therecord.media/north-korean-hackers-using-medusa-ransomware
Citadel Systems cybersecurity rating report: https://www.rankiteo.com/company/citadel-systems-arkansas-
Sleep Centers of Middle Tennessee (OSAinHome) cybersecurity rating report: https://www.rankiteo.com/company/sleep-centers-of-middle-tennessee-pllc
"id": "CITSLE1771960534",
"linkid": "citadel-systems-arkansas-, sleep-centers-of-middle-tennessee-pllc",
"type": "Ransomware",
"date": "10/2024",
"severity": "100",
"impact": "7",
"explanation": "Attack that could injure or kill people"{'affected_entities': [{'location': 'Middle East', 'type': 'Company'},
{'industry': 'Healthcare',
'location': 'United States',
'type': 'Healthcare Organization'},
{'industry': 'Healthcare',
'location': 'United States',
'name': 'Kansas Hospital',
'type': 'Healthcare Provider'},
{'industry': 'Defense',
'location': 'United States',
'type': 'Defense Contractors (4)'},
{'industry': 'Defense',
'location': 'United States',
'name': 'Air Force Bases (2)',
'type': 'Military'},
{'industry': 'Aerospace',
'location': 'United States',
'name': 'NASA’s Office of Inspector General',
'type': 'Government Agency'}],
'data_breach': {'data_encryption': True},
'description': 'Cybersecurity researchers at Symantec identified North '
'Korea’s Lazarus Group deploying Medusa ransomware in '
'financially motivated attacks against a Middle Eastern '
'company and a U.S. healthcare organization. This marks the '
'first documented use of Medusa by North Korean actors, who '
'previously relied on strains like Maui and Play. The shift to '
'Medusa follows a pattern of leveraging third-party ransomware '
'for efficiency.',
'impact': {'data_compromised': True,
'operational_impact': 'Disrupted medical services (in healthcare '
'attacks)'},
'initial_access_broker': {'backdoors_established': True},
'investigation_status': 'Ongoing',
'lessons_learned': 'Nation-state hackers are increasingly adopting ransomware '
'for financial gain or operational cover, leveraging '
'third-party RaaS platforms for efficiency.',
'motivation': 'Financial gain, funding cyber espionage operations',
'post_incident_analysis': {'root_causes': 'Use of custom malware tools '
'(backdoor, password extractor) '
'linked to Lazarus Group; adoption '
'of RaaS platforms for efficiency.'},
'ransomware': {'data_encryption': True,
'ransomware_strain': 'Medusa, Maui, Play'},
'references': [{'source': 'Symantec'},
{'source': 'U.S. authorities'},
{'source': 'U.S. State Department'}],
'regulatory_compliance': {'legal_actions': 'Federal arrest warrant issued for '
'Rim Jong Hyok (Andariel Unit '
'member)'},
'response': {'law_enforcement_notified': True,
'third_party_assistance': 'Symantec (cybersecurity researchers)'},
'threat_actor': 'Lazarus Group (North Korea), Andariel Unit (subgroup of '
'Lazarus)',
'title': 'North Korean Hackers Deploy Medusa Ransomware in Targeted Attacks',
'type': 'Ransomware'}