North Korean hackers have added another ransomware family to their arsenal — and this time, the targets include mental health organizations and schools for autistic children.
Symantec’s Threat Hunter Team has confirmed that Lazarus Group — the North Korean state-sponsored hacking collective — is now deploying Medusa ransomware against targets in the U.S. and Middle East.
Medusa launched in 2023 and operates as a ransomware-as-a-service (RaaS), meaning affiliate attackers can rent and deploy it in exchange for a cut of the ransom. More than 366 Medusa attacks have been claimed to date, operated by a cybercrime outfit known as Spearwing.
This is Lazarus’s third known ransomware partnership. The group was previously tied to the Maui and Play ransomware families — the latter confirmed by Palo Alto Unit 42 in October 2024.
The Symantec team found Lazarus using Medusa in a confirmed attack on a target in the Middle East, while also attempting — unsuccessfully — to hit a U.S. healthcare organization. Since November 2025, the Medusa leak site shows four attacks on U.S. healthcare and non-profit organizations, including a mental health nonprofit and an educational facility serving autistic children. Average ransom demand: $260,000.
The toolset Lazarus used includes Comebacker (a custom backdoor), Blindingcan (a remote access trojan), ChromeStealer for pulling saved browser passwords, Mimikatz for credential dumping, and a custom proxy tool called RP_Proxy.
The Lazarus sub-group most likely behind these attacks is Stonefly (also known as Andariel), which is linked to North Korea’s Reconnaissance General Bureau — essentially military intelligence. In July 2025, the U.S. Department of Justice indicted North Korean national Rim Jong Hyok for ransomware attacks on U.S. hospitals. The FBI posted a $10 million bounty for information on Rim. Neither moved the needle. Attacks continued.
This matters for a few reasons beyond the headline.
North Korea isn’t running ransomware for the thrill of it. The DOJ indictment laid it out plainly: ransom proceeds fund the regime’s espionage operations, including attacks on defense contractors and government agencies in the U.S., Taiwan, and South Korea. Every ransom payment to a Lazarus-affiliated campaign potentially bankrolls a broader intelligence operation.
The targeting of healthcare — hospitals, mental health nonprofits, schools for disabled children — signals something that other ransomware groups at least pay lip service to avoiding. Medusa’s operators, Spearwing, run a criminal enterprise with something resembling a reputation to protect. Lazarus has no such concern. There are no reputational consequences when you answer to a regime that faces no international accountability.
The shift to Medusa also shows the group is evolving fast — testing new partnerships and delivery mechanisms, staying ahead of detection by rotating tools and affiliations.
No patch closes the gap when a state-level actor is determined to get in, but there are practical steps that reduce exposure considerably.
Patch aggressively and early. Lazarus and its sub-groups routinely exploit unpatched vulnerabilities. Delayed patching is the single most common entry point. Security teams should treat zero-days and high-severity CVEs as incidents requiring same-day response — not next-quarter remediation.
Watch for credential theft activity. Tools like Mimikatz and ChromeStealer are post-exploitation staples. Endpoint detection should flag credential dumping attempts, and privileged access should be gated behind hardware-based MFA — not just passwords.
Segment healthcare networks. Flat networks are a ransomware attacker’s best friend. Clinical systems, administrative systems, and external-facing applications should sit in separate zones with strict access controls between them.
Don’t negotiate without involving law enforcement. The FBI’s Cyber Division has specific guidance for ransomware victims — particularly those in healthcare. Reporting isn’t just a formality; it contributes to attribution and future indictments.
Check your supply chain connections. Lazarus has repeatedly used trusted third-party access to breach primary targets. Every vendor with network access is a potential entry point worth auditing.
For technical indicators of compromise — including file hashes and malicious domains — Symantec’s full list is available via their Protection Bulletin.
