North Korea's Lazarus Group targets healthcare orgs with Medusa ransomware
The Register
February 24, 2026
AI-Generated Deep Dive Summary
North Korea's Lazarus Group has expanded its arsenal by employing the Medusa ransomware in recent extortion campaigns targeting healthcare organizations. According to Symantec and Carbon Black threat hunters, the group has specifically targeted a US healthcare organization and an unnamed victim in the Middle East. While one attack failed, the Middle Eastern organization was successfully hit with Medusa, highlighting the group's evolving tactics.
Medusa, a ransomware-as-a-service (RaaS) operation managed by the cybercrime group Spearwing, allows affiliates to use its tools in exchange for a share of the ransom proceeds. Since November 2023, nearly 30 victims have been listed on Medusa's data-leak site, including four healthcare and nonprofit organizations in the US. These include a mental health nonprofit and an educational facility for autistic children. Although it remains unclear whether all these attacks were directly carried out by North Korean operatives or other Medusa affiliates, the average ransom demanded over four months was around $260,000.
Lazarus Group, known for high-profile attacks like the 2014 Sony Pictures hack and the 2017 WannaCry ransomware campaign, operates as an umbrella term for North Korean state-sponsored cyber activities. One of its most active subgroups is Andariel, which has previously used ransomwares like Maui and Play. The group's continued targeting of critical sectors, such as healthcare, underscores the growing threat posed by cybercriminal activity tied to state-sponsored groups.
The shift to Medusa demonstrates Lazarus Group's adaptability in the
Verticals
tech
Originally published on The Register on 2/24/2026