Lazarus Group Deploys Medusa Ransomware in Global Healthcare Attacks

Recent investigations by the Symantec and Carbon Black Threat Hunter Team have identified the Lazarus Group—the North Korean state-sponsored threat actor also tracked as Diamond Sleet and Pompilus—leveraging Medusa ransomware in recent campaigns. While Lazarus is traditionally associated with espionage and large-scale financial theft (such as the 2016 Bangladesh Bank heist), this development signifies a persistent interest in disruptive ransomware operations targeting critical infrastructure and healthcare sectors.

According to reports from The Hacker News, the threat actor successfully targeted an entity in the Middle East and attempted an unsuccessful attack against a healthcare organization in the United States. This activity highlights a continuation of the actor’s shift toward multi-faceted extortion and financial gain to circumvent international sanctions.

Technical Analysis of Lazarus Operations

The integration of Medusa ransomware into the Lazarus arsenal demonstrates the group’s adaptability and willingness to leverage established Ransomware-as-a-Service (RaaS) tools. Medusa, which gained significant prominence in 2023, typically utilizes a double-extortion model, where data is exfiltrated before encryption to ensure the threat actor maintains leverage over the victim even if systems are restored from backups.

Observed TTPs and Infrastructure

In the Middle Eastern incident, the threat actors gained initial access through undisclosed means, though Lazarus frequently employs spear-phishing or the exploitation of known vulnerabilities in edge-facing applications. Once inside the network, the group utilized standard living-off-the-land (LotL) techniques to maintain persistence and move laterally across the environment.

The use of Medusa is notable because Lazarus has previously developed its own bespoke ransomware strains, such as VHD or Maui. Adopting a RaaS-associated payload like Medusa may be an attempt to complicate attribution or benefit from the advanced encryption and exfiltration capabilities provided by the Medusa developers. Symantec’s analysis suggests that the actor’s infrastructure overlaps with previous Diamond Sleet campaigns, specifically in the use of command-and-control (C2) patterns and specific lateral movement scripts.

Targeting Profile

The attempted attack on a U.S. healthcare provider aligns with previous warnings from the FBI and CISA regarding North Korean interest in the sector. Healthcare organizations are often targeted due to the critical nature of their data and the high pressure to restore services, which threat actors believe increases the likelihood of a ransom payment. The involvement of Pompilus (a subset of Lazarus) in these attacks suggests a maturing operational structure where different sub-groups focus on specific geographic or industrial verticals. By targeting the Middle East, the group expands its footprint beyond its usual focus on South Korea, Japan, and the United States.

Mitigation and Recommendations

To defend against Lazarus-led ransomware campaigns, organizations should prioritize the following defensive measures:

• Implement Strict Egress Filtering: Lazarus often relies on external C2 servers for payload delivery and data exfiltration. Restrict outbound traffic to known-good domains and monitor for unusual DNS queries or high-volume data transfers.
• Enforce Multi-Factor Authentication (MFA): Ensure all remote access points, including VPNs and RDP, are protected by robust MFA to prevent credential-based lateral movement.
• Patch Management: While no specific CVE was cited in the current campaign, Lazarus frequently exploits vulnerabilities in Ivanti, Citrix, and Fortinet appliances. Prioritize patching external-facing assets within 24-48 hours of a security release.
• Monitor for Data Exfiltration: Medusa operations involve significant data movement. Implement Data Loss Prevention (DLP) tools to detect large transfers of sensitive files to unauthorized cloud storage services or suspicious IP addresses.
• Endpoint Detection and Response (EDR): Deploy and monitor EDR solutions to detect the specific LotL techniques and script executions typically used by Pompilus for persistence.