Lazarus Group Deploys Medusa Ransomware
The Lazarus Group has reportedly adopted Medusa ransomware in a new wave of attacks targeting the U.S. healthcare sector. The shift in tooling by the prominent threat actor highlights the ongoing evolution of ransomware tactics. In Wisconsin, public sector organizations are still dealing with the aftermath of recent ransomware incidents, underscoring the local relevance of this threat.
- The Lazarus Group is a state-sponsored hacking organization linked to North Korea's primary intelligence agency, the Reconnaissance General Bureau. While initially focused on espionage, its objectives have expanded to include financially motivated attacks, such as the $81 million Bangladesh Bank heist and the 2017 WannaCry ransomware outbreak, to generate revenue for the regime and bypass international sanctions. - Medusa operates on a Ransomware-as-a-Service (RaaS) model, where affiliates pay for access to the ransomware and infrastructure, allowing for a higher volume of attacks. The group employs a "double extortion" tactic, not only encrypting a victim's files but also exfiltrating sensitive data and threatening to release it publicly on their leak site to pressure victims into paying. - Medusa ransomware typically gains initial access by exploiting vulnerabilities in public-facing applications, such as Microsoft Exchange Server, through phishing campaigns, or by compromising weak Remote Desktop Protocol (RDP) credentials. Once inside, attackers often use legitimate tools already on the network, a technique known as "Living Off the Land," to evade detection while disabling security software and backup processes. - Cybersecurity agencies classify ransomware attacks on the healthcare sector as "threat-to-life" crimes because they directly impede patient care. Research estimates that from 2016 to 2021, ransomware attacks resulted in the deaths of 42 to 67 Medicare patients due to care disruptions. - The 2024 ransomware attack on Change Healthcare, a payment processor, illustrates the cascading impact on the sector; it crippled billing and prescription services for weeks and affected 94% of hospitals in the United States. - In October 2024, a ransomware attack on the City of Sheboygan, Wisconsin, led to the theft of personal information from nearly 67,000 individuals, including Social Security numbers and state IDs. Another attack in April 2025 on Iowa County, Wisconsin, deleted a significant portion of the county's network and backups, severely disrupting real estate transactions and other government services. - The collaboration with Medusa represents an evolution in tactics for Lazarus, which has historically deployed its own custom-built ransomware, such as WannaCry and Maui. A joint analysis by Symantec and Carbon Black confirmed that Lazarus operators are using Medusa's toolkit, including backdoors like Comebacker, in these recent campaigns.
