A recent surge in ransomware attacks has exposed a troubling shift in tactics by North Korea’s infamous Lazarus Group, which is now leveraging Medusa ransomware to target healthcare and nonprofit organizations in the United States and the Middle East. This marks a new wave of financially motivated campaigns, raising alarms across the cybersecurity community.

Key Takeaways

• Lazarus Group has adopted Medusa ransomware, a ransomware-as-a-service (RaaS) offering.

• Recent victims include U.S. healthcare and nonprofit organizations, as well as targets in the Middle East.

• North Korean ransomware activities increasingly fund espionage operations and military objectives.

• The group continues its operations despite previous indictments and international law enforcement actions.

Emergence of Medusa as a Threat

Medusa ransomware, first observed in 2023 and attributed to the Spearwing cybercrime group, has quickly become one of the most pervasive RaaS platforms. It allows affiliates—now including state actors such as Lazarus—to use the malware in exchange for a share of ransom payments. To date, Medusa attacks have breached more than 350 organizations worldwide.

Since late 2025, Medusa has been used in the compromise of four U.S.-based healthcare and nonprofit organizations, including those serving mental health needs and children with autism. The average ransom demand in these cases was approximately $260,000. Not all attacks were successful, with some, such as a recent attempt on a U.S. healthcare provider, being thwarted by defensive teams.

Lazarus Group’s Expanding Toolset

Lazarus has added Medusa to its arsenal, alongside previously developed malware, such as Maui and Play ransomware strains. Their campaigns demonstrate a tactical shift—from custom-built ransomware to leveraging externally-developed and commercially available RaaS offerings.

Key tools used in these attacks include:

• Comebacker: A custom backdoor loader tightly linked to Lazarus operations

• Blindingcan: A remote access trojan for persistence and control

• ChromeStealer: For harvesting stored passwords from browsers

• RP_Proxy & Curl: Utilities for network data transfer and proxying

• Infohook & Mimikatz: Credential and information-stealing tools

This diversified toolset, combined with RaaS, makes Lazarus’s attacks harder to detect and attribute to a specific subgroup.

Financial Motivation and Global Implications

Unlike many cybercriminal organizations, Lazarus and its subgroups operate with fewer ethical constraints, often targeting sectors such as healthcare that others might avoid due to reputational risks. Law enforcement officials have noted that ransom payments are often used to finance further cyber-espionage, including attacks on defense, government, and technology sectors in the U.S. and abroad.

The U.S. Justice Department’s indictment of a Lazarus-linked operator in 2025, as well as multi-million dollar rewards for information, have not diminished the group’s activities. Instead, North Korea’s offensive cyber efforts appear to be expanding in both scope and impact.

Ongoing Threats and Defensive Measures

Security experts warn that the partnership between nation-state actors like Lazarus and cybercriminal RaaS groups represents an escalating threat to critical infrastructure worldwide. The blending of cybercrime and espionage, combined with sophisticated malware deployment, is likely to continue as both a financial and strategic weapon.

Healthcare organizations and nonprofits are urged to bolster defenses, including implementing advanced threat detection, network segmentation, timely software updates, and robust credential management to mitigate future ransomware risks.

Sources

• Lazarus Group Uses Medusa Ransomware in Middle East and U.S. Healthcare Attacks, The Hacker News.

• Lazarus hackers adopt Medusa ransomware for extortion campaigns, targeting healthcare and nonprofits -Industrial Cyber, Industrial Cyber.

• North Korean Lazarus Group Now Working With Medusa Ransomware, SECURITY.COM.

• North Korean state hackers seen using Medusa ransomware in attacks on US, Middle East, The Record from Recorded Future News.