• Home
  • cyber
  • Educational facility for autistic children: North Korean Lazarus group linked to Medusa ransomware attacks
cyber Ransomware

Educational facility for autistic children: North Korean Lazarus group linked to Medusa ransomware attacks

Nov 1, 2025 2 min read
Educational facility for autistic children: North Korean Lazarus group linked to Medusa ransomware attacks

North Korean Lazarus Group Targets U.S. Healthcare with Medusa Ransomware

North Korean state-backed hackers, linked to the Lazarus threat group, are deploying Medusa ransomware in extortion attacks against U.S. healthcare organizations, marking the first confirmed association between the actor and this ransomware strain.

The Medusa ransomware-as-a-service (RaaS) operation, active since January 2021, has compromised over 380 organizations across critical infrastructure sectors by February 2025, with at least 80 additional victims claimed since then. While Lazarus has previously used ransomware families like HolyGhost, PLAY, Maui, and Qilin, this campaign represents a new tactic.

A Lazarus subgroup, potentially Andariel/Stonefly, is behind the attacks, with toolsets also showing ties to Diamond Sleet, another North Korean group known for targeting media, defense, and IT sectors. The attacks leverage a mix of custom and commodity malware, including:

  • Comebacker (Diamond Sleet-linked backdoor)
  • Blindingcan (remote access trojan)
  • ChromeStealer (credential extractor)
  • Infohook (information stealer)
  • Mimikatz (credential dumper)
  • RP_Proxy (custom proxy tool)
  • Curl (data transfer)

Since November 2025, Medusa’s data leak site has listed four U.S. healthcare and non-profit victims, including an educational facility for autistic children. While not all attacks can be definitively attributed to Lazarus, the group’s involvement underscores its unrestricted targeting approach despite reputational risks associated with attacking healthcare.

Ransom demands from Medusa have reached $15 million, though the average payment is around $260,000. Stolen funds are reportedly funneled into espionage operations against defense, technology, and government entities in the U.S., Taiwan, and South Korea.

Symantec’s report includes indicators of compromise (IoCs), such as network infrastructure details and malware hashes, to aid detection. The campaign highlights the expanding financial motivations of North Korean cyber operations, which increasingly blur the line between cybercrime and state-sponsored activity.

Source: https://www.bleepingcomputer.com/news/security/north-korean-lazarus-group-linked-to-medusa-ransomware-attacks/

Educational facility for autistic children TPRM report: https://www.rankiteo.com/company/health-research-&-educational-trust-hret

"id": "hea1771960802",
"linkid": "health-research-&-educational-trust-hret",
"type": "Ransomware",
"date": "11/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': 'Healthcare',
                        'location': 'U.S.',
                        'type': 'Healthcare Organization'},
                       {'industry': 'Education',
                        'location': 'U.S.',
                        'type': 'Non-Profit Organization'},
                       {'industry': 'Education/Healthcare',
                        'location': 'U.S.',
                        'type': 'Educational Facility for Autistic Children'}],
 'data_breach': {'data_encryption': True,
                 'data_exfiltration': True,
                 'personally_identifiable_information': True,
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Personally Identifiable '
                                              'Information',
                                              'Credentials']},
 'description': 'North Korean state-backed hackers, linked to the Lazarus '
                'threat group, are deploying Medusa ransomware in extortion '
                'attacks against U.S. healthcare organizations, marking the '
                'first confirmed association between the actor and this '
                'ransomware strain. The attacks leverage a mix of custom and '
                'commodity malware, including Comebacker, Blindingcan, '
                'ChromeStealer, Infohook, Mimikatz, RP_Proxy, and Curl. Since '
                'November 2025, Medusa’s data leak site has listed four U.S. '
                'healthcare and non-profit victims, including an educational '
                'facility for autistic children.',
 'impact': {'brand_reputation_impact': True,
            'data_compromised': True,
            'identity_theft_risk': True},
 'motivation': ['Financial gain', 'Espionage'],
 'ransomware': {'data_encryption': True,
                'data_exfiltration': True,
                'ransom_demanded': '$15 million (max), $260,000 (average)',
                'ransomware_strain': 'Medusa'},
 'references': [{'source': 'Symantec Report'}],
 'threat_actor': ['Lazarus Group', 'Andariel/Stonefly', 'Diamond Sleet'],
 'title': 'North Korean Lazarus Group Targets U.S. Healthcare with Medusa '
          'Ransomware',
 'type': 'Ransomware'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.