North Korean Lazarus Group Expands into Ransomware with Medusa Attacks
North Korea’s state-backed Lazarus Group has entered the commercial ransomware market, leveraging the Medusa ransomware-as-a-service (RaaS) operation to target organizations in the Middle East and the U.S. While an attempted breach of U.S. healthcare entities failed, the campaign underscores a growing trend: nation-state actors adopting cybercrime tools for financial gain.
Since its emergence in 2023, Medusa has been linked to over 300 successful attacks, including high-profile victims like Comcast and NASCAR. By partnering with Medusa, Lazarus gains access to an established criminal infrastructure, obscuring its identity behind typical ransomware affiliates and complicating attribution for defenders.
The group’s attacks follow a multi-stage process, beginning with the deployment of tools to disable security protections. Custom backdoors like Blindingcan and Comebacker establish persistent access, while credential theft tools (ChromeStealer, Mimikatz) and data exfiltration utilities (Infohook, RP_Proxy) extract sensitive information before ransomware deployment. By the time Medusa encrypts systems, attackers have already exfiltrated critical data.
Recent targets reveal a focus on vulnerable institutions, including a U.S. mental health nonprofit and a school for children with autism. Ransom demands average $260,000 a calculated figure designed to pressure cash-strapped organizations into paying quickly. This strategy aligns with Lazarus’ broader shift toward financially motivated attacks, following a similar 2024 collaboration between North Korea’s Jumpy Pisces (Andariel) and the Play ransomware group.
Experts note the tactical logic: targeting underfunded sectors like healthcare and education maximizes emotional leverage, increasing the likelihood of payment. The convergence of state-sponsored espionage and ransomware operations means even small organizations previously overlooked by advanced threat actors now face sophisticated, government-backed cyber threats.
Source: https://hackread.com/north-korean-lazarus-group-medusa-ransomware/
Comcast TPRM report: https://www.rankiteo.com/company/comcast
NASCAR TPRM report: https://www.rankiteo.com/company/nascar
"id": "nascom1771979720",
"linkid": "nascar, comcast",
"type": "Ransomware",
"date": "2/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Telecommunications',
'location': 'U.S.',
'name': 'Comcast',
'type': 'Corporation'},
{'industry': 'Sports/Entertainment',
'location': 'U.S.',
'name': 'NASCAR',
'type': 'Corporation'},
{'industry': 'Healthcare',
'location': 'U.S.',
'name': 'U.S. mental health nonprofit',
'type': 'Nonprofit'},
{'industry': 'Education',
'location': 'U.S.',
'name': 'School for children with autism',
'type': 'Educational Institution'}],
'attack_vector': 'Multi-stage intrusion with custom backdoors, credential '
'theft, and data exfiltration',
'data_breach': {'data_encryption': 'Yes (by Medusa ransomware)',
'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Likely',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Sensitive information, '
'personally identifiable '
'information (PII)'},
'description': 'North Korea’s state-backed Lazarus Group has entered the '
'commercial ransomware market, leveraging the Medusa '
'ransomware-as-a-service (RaaS) operation to target '
'organizations in the Middle East and the U.S. The campaign '
'underscores a growing trend: nation-state actors adopting '
'cybercrime tools for financial gain. Recent targets include a '
'U.S. mental health nonprofit and a school for children with '
'autism, with ransom demands averaging $260,000.',
'impact': {'data_compromised': 'Sensitive information exfiltrated',
'identity_theft_risk': 'High (PII potentially exposed)',
'operational_impact': 'Disruption of services',
'systems_affected': 'Encrypted by Medusa ransomware'},
'initial_access_broker': {'backdoors_established': 'Blindingcan, Comebacker'},
'lessons_learned': 'Nation-state actors are increasingly adopting ransomware '
'tools for financial gain, targeting vulnerable sectors '
'like healthcare and education. The convergence of '
'espionage and cybercrime complicates attribution and '
'defense.',
'motivation': 'Financial gain',
'post_incident_analysis': {'root_causes': "Lazarus Group's adoption of Medusa "
'RaaS for financial gain, targeting '
'underfunded sectors with emotional '
'leverage.'},
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes',
'ransom_demanded': '$260,000 (average)',
'ransomware_strain': 'Medusa'},
'recommendations': 'Organizations should enhance monitoring for multi-stage '
'intrusions, implement network segmentation, and prepare '
'incident response plans for ransomware attacks. Special '
'attention should be given to sectors with limited '
'cybersecurity resources.',
'threat_actor': 'Lazarus Group (North Korea state-backed)',
'title': 'North Korean Lazarus Group Expands into Ransomware with Medusa '
'Attacks',
'type': 'Ransomware'}