North Korean Hackers Linked to Surge in Medusa Ransomware Attacks on US Healthcare
Since its 2023 launch as a ransomware-as-a-service (RaaS) platform, Medusa operated by the Spearwing cybercrime group has been deployed in over 366 attacks, with affiliates earning a cut of ransom payments. Recent activity, however, has been traced to North Korean state-backed hackers, including the Lazarus Group and its Stonefly (Andariel) sub-group, despite US indictments targeting their operations.
In early November 2025, four US healthcare and non-profit organizations including a mental health non-profit and a school for autistic children were listed as victims on Medusa’s leak site, with average ransom demands reaching $260,000. Earlier attempts in 2024 and 2025 included failed breaches of a Middle Eastern target and a US healthcare provider.
The US Justice Department’s July 2025 indictment of Rim Jong Hyok, an alleged Stonefly member linked to North Korea’s Reconnaissance General Bureau (RGB), revealed that ransomware proceeds funded espionage against US, Taiwanese, and South Korean defense, technology, and government sectors. Despite the crackdown, intrusion attempts persisted into October 2024, though no ransomware was deployed.
Recent campaigns employed a suite of tools, including the Comebacker backdoor, Blindingcan RAT, ChromeStealer, Mimikatz, and custom utilities like RP_Proxy. While these tactics align with Stonefly’s past operations, researchers note the tools aren’t exclusive to the group.
Symantec’s analysis underscores North Korea’s unrelenting cybercrime expansion, with Lazarus actors showing little hesitation in targeting critical sectors like healthcare a departure from some cybercriminal groups that avoid such high-risk victims due to reputational fallout. The shift to Medusa signals a continued evolution in their financially motivated attacks.
Source: https://www.infosecurity-magazine.com/news/north-korean-lazarus-group-medusa/
Middle Eastern Target TPRM report: https://www.rankiteo.com/company/middle-east-institute
"id": "mid1771959526",
"linkid": "middle-east-institute",
"type": "Cyber Attack",
"date": "11/2025",
"severity": "50",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'industry': 'Healthcare',
'location': 'US',
'type': 'Healthcare'},
{'industry': 'Mental Health',
'location': 'US',
'type': 'Non-profit'},
{'industry': 'Education (Autistic Children)',
'location': 'US',
'type': 'Non-profit'}],
'data_breach': {'data_encryption': True, 'data_exfiltration': True},
'date_detected': '2025-11',
'description': 'Since its 2023 launch as a ransomware-as-a-service (RaaS) '
'platform, Medusa operated by the Spearwing cybercrime group '
'has been deployed in over 366 attacks, with affiliates '
'earning a cut of ransom payments. Recent activity has been '
'traced to North Korean state-backed hackers, including the '
'Lazarus Group and its Stonefly (Andariel) sub-group. In early '
'November 2025, four US healthcare and non-profit '
'organizations were listed as victims on Medusa’s leak site, '
'with average ransom demands reaching $260,000. The US Justice '
'Department’s July 2025 indictment revealed that ransomware '
'proceeds funded espionage against US, Taiwanese, and South '
'Korean defense, technology, and government sectors.',
'impact': {'brand_reputation_impact': True, 'data_compromised': True},
'initial_access_broker': {'backdoors_established': True},
'motivation': ['Financial gain', 'Espionage'],
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransom_demanded': '$260,000 (average)',
'ransomware_strain': 'Medusa'},
'references': [{'source': 'Symantec Analysis'},
{'source': 'US Justice Department Indictment'}],
'regulatory_compliance': {'legal_actions': 'US Justice Department indictment '
'(July 2025)'},
'threat_actor': ['Lazarus Group', 'Stonefly (Andariel)', 'Spearwing'],
'title': 'North Korean Hackers Linked to Surge in Medusa Ransomware Attacks '
'on US Healthcare',
'type': 'Ransomware'}