North Korea’s well-known Lazarus hacking group has been linked to recent attacks involving Medusa ransomware. Security researchers confirmed this connection after analyzing real-world incidents. The discovery shows how the group continues to expand its cyber operations. It also highlights the growing overlap between nation-state actors and ransomware campaigns.
According to cybersecurity experts at Symantec, a subgroup associated with Lazarus deployed Medusa ransomware in targeted attacks. The victims included an organization in the Middle East and a healthcare provider in the United States. In these incidents, systems were encrypted and ransom demands were issued. This activity aligns with the group’s history of financially motivated operations.
Medusa operates as a ransomware-as-a-service platform, commonly known as RaaS. Under this model, developers provide the ransomware to affiliates who carry out attacks. In return, affiliates share a portion of the ransom payments with the operators. Since its emergence in 2023, Medusa has been used in attacks affecting hundreds of organizations worldwide.
Reports indicate that more than 350 victims globally have been linked to Medusa ransomware campaigns. This makes it one of the more active ransomware operations in recent years. The use of such a platform by a state-linked group adds a new dimension to the threat landscape. It suggests increased collaboration or tactical adoption of criminal tools.
This is the first time researchers have publicly connected the Lazarus group to Medusa ransomware. Previously, North Korean hackers were linked to other ransomware families such as Maui, Play, HolyGhost, and Qilin. The Maui strain was notably used in attacks against U.S. healthcare institutions. In 2025, U.S. authorities indicted a North Korean hacker tied to Maui-related incidents.
The attribution to Lazarus was not based solely on the ransomware payload itself. Analysts discovered custom malware tools and techniques commonly associated with North Korean operations. These included specific backdoors and credential-stealing utilities used in earlier campaigns. The technical overlap strongly supports the link to Lazarus or its affiliated subgroups.
Researchers also reported that ransom demands in the investigated Medusa incidents averaged around $260,000. While not every Medusa attack is directly attributed to Lazarus, the observed cases showed strong technical indicators. This suggests involvement within North Korea’s broader cyber ecosystem. It reflects how state-linked actors can operate similarly to organized ransomware groups.
Security experts warn that Lazarus remains highly active and adaptable in its tactics. The targeting of healthcare and other sensitive sectors raises serious concerns. The blending of geopolitical objectives with financial cybercrime is becoming more visible. Organizations are advised to strengthen defenses and monitor for indicators associated with Medusa and Lazarus-linked tools.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
