North Korean Lazarus Group Now Working With Medusa Ransomware
North Korean state-backed attackers are utilizing Medusa ransomware in their ongoing extortion attacks against the U.S. healthcare sector. The Symantec and Carbon Black Threat Hunter Team discovered evidence of North Korean actors employing Medusa in an attack on a Middle Eastern target and an unsuccessful attempt on a U.S. healthcare organization. Medusa, launched in 2023, operates as a ransomware-as-a-service. The Lazarus sub-group Stonefly has been a key player in North Korean ransomware attacks, using proceeds to fund espionage activities. Despite indictments and rewards, the attacks continue unabated. The current campaign employs various tools, including Comebacker, Blindingcan, ChromeStealer, and RP_Proxy. While the attacks bear similarities to previous Stonefly operations, the exact sub-group responsible remains unclear.
AI Analysis
Technical Summary
The Lazarus Group, a North Korean state-sponsored threat actor, has incorporated Medusa ransomware into its extortion campaigns, particularly targeting the U.S. healthcare sector and Middle Eastern entities. Medusa ransomware, introduced in 2023 as ransomware-as-a-service, allows affiliates to deploy ransomware with modular capabilities. The Stonefly sub-group of Lazarus, known for ransomware attacks funding espionage, is implicated in these operations. The campaign uses a suite of tools including Comebacker (likely for persistence or backdoor access), Blindingcan (a remote access trojan), ChromeStealer (credential theft), and RP_Proxy (proxy tool for network evasion). Techniques observed include credential dumping (Mimikatz), lateral movement, privilege escalation, and exploitation of vulnerabilities, consistent with MITRE ATT&CK techniques such as T1003 (Credential Dumping), T1543 (Create or Modify System Process), and T1486 (Data Encrypted for Impact). The attackers aim to encrypt critical systems to extort ransom payments, which are then used to finance further espionage activities. Despite international law enforcement efforts, including indictments and rewards for Lazarus members, these ransomware campaigns persist. The attacks demonstrate a blend of espionage and financially motivated ransomware tactics, highlighting the evolving threat landscape posed by nation-state actors leveraging ransomware-as-a-service platforms.
Potential Impact
The impact of this threat is significant, particularly for healthcare organizations that rely on continuous availability and confidentiality of sensitive patient data. Successful ransomware deployment can lead to operational disruption, loss of critical healthcare services, exposure of protected health information (PHI), and financial losses due to ransom payments and remediation costs. Beyond healthcare, other sectors in the Middle East and globally may face similar risks. The use of ransomware by a nation-state actor like Lazarus also raises concerns about the dual use of cybercrime for espionage funding, potentially increasing the frequency and sophistication of attacks. Organizations may suffer reputational damage, regulatory penalties, and long-term operational setbacks. The persistent nature of these campaigns despite law enforcement actions indicates a sustained threat that could evolve with new tactics and tools, increasing the risk of widespread disruption and data compromise.
Mitigation Recommendations
Organizations should implement a multi-layered defense strategy tailored to the tactics used by Lazarus and Medusa ransomware affiliates. This includes: 1) Enforcing strict network segmentation to limit lateral movement, especially isolating critical healthcare systems. 2) Deploying advanced endpoint detection and response (EDR) solutions capable of detecting tools like Mimikatz and Blindingcan. 3) Regularly auditing and restricting privileged account usage and implementing multi-factor authentication (MFA) to reduce credential theft impact. 4) Conducting continuous vulnerability management and patching, focusing on known exploited vulnerabilities related to privilege escalation and remote code execution. 5) Monitoring for indicators of compromise related to ChromeStealer and RP_Proxy activity, including unusual proxy or network traffic patterns. 6) Implementing robust backup and recovery processes, ensuring backups are offline and immutable to withstand ransomware encryption. 7) Conducting targeted threat hunting exercises for Lazarus-related TTPs and maintaining updated threat intelligence feeds. 8) Training staff on phishing and social engineering risks to reduce initial infection vectors. 9) Collaborating with industry information sharing groups and government cybersecurity agencies for timely alerts and response coordination. These measures, combined with incident response preparedness, will enhance resilience against this sophisticated ransomware campaign.
Affected Countries
United States, South Korea, United Arab Emirates, Saudi Arabia, Israel, United Kingdom, Germany, Japan, Australia, Canada
Indicators of Compromise
- hash: 9acfd35188637ac257b56f7bf0c53b0c
- hash: c14935ba8c6abdfa6202df446e8136022f82731e
- hash: 0842dd5c1f79f313ea08c49d1fb227654c32485b3f413e354dbe47b8a519a120
- hash: 15208030eda48b3786f7d85d756d2bd6596ef0f465d9c8509a8f02c53fad9a10
- hash: 16d57ff889aab5b8c8a646da99d5a9335177fb4c158191baa1cf199f0e818d3a
- hash: 18049366331a5f0afd54c2ca84e6ed302e81d58a162673715fee865541d53b11
- hash: 202b03d788df6a9d22bbd2cbc01ba9c7b4a9caad0f78a4d420f8c2c30171a08d
- hash: 313ce75f0f47e2a8fd66120fcbcaa6226fc0c4862b585b8e04850153f97bc4a3
- hash: 35a11a68b0ce862bdc7450735237e56cf70156870b0527ec624f0a57076c09c7
- hash: 3b8850bad0cb3ebae477b3787844b892bb0e4f7bd9c9e8b507898a726e7e2763
- hash: 3e3e0519a154266da1558e324c9097e7c39ccf88f323f2f932f204871d1b91cb
- hash: 416545b9e844d3d924e162951a8ee885f3885e054a196ccdc659fd9d1f1911a6
- hash: 4a702c784eb997a170bea81778a770a86e61c759ff95ca0ad958ceca55c20c7b
- hash: 52293b53ca5209bc49f009288cf6fc80c9f787c9c735cc06e7dc6fc9fcdaf61d
- hash: 55cb4a851372237a5ba4bf187e37b0d599f3ffa13ac17464130744614353bd07
- hash: 60aaf6c01ba0c15b78902fd4be12c7e5f2323ade8f9db7e9fbbb9ec0c2afc8ba
- hash: 60b942bbdac625300eeb11cccba5ed44f376634f73d3bc01a17e7a758c570a8e
- hash: 61c49c8f116cb7118dee613536085cfaa7a59d5f49c36b9ff432be7b8a7f25f0
- hash: 61f3b09bcbae2fc2c98ccac7b2a0becdf5ddb28fe6a8b9c679fd574d58f8ca40
- hash: 63432828de42e43ea3715157da5439c40e5c371eefd7c1892b25f396c1018cc8
- hash: 6428ef885c54b8154bd86a5d849fb8cc8c04f39e72188117119b9e2832b99ee6
- hash: 6ad1a57ce20b422b77bab84a8daebf4e7262543742b2fdcbcacde3f7780d9046
- hash: 6ba46c392bdc330ceef2aeb984c63c89d673a090dd68d3258e4aa7e20e5c098d
- hash: 7530323c3976687a329e06bb7b7f95017f2cfd408f6a5261cb2f0c6b6f18f081
- hash: 7a22880780c74b212e36ebb871af4af26a620326c456cf96a3dfb1481ee436cc
- hash: 84168ee4e290690985358dfc497b98a22ef279a01179b93ff4e6c9c5e1ee26e4
- hash: 8f6866532abd8400d244d0441be097f8209065ac43d9f864b2a6894f9da2880a
- hash: 918e2a5a01fdb0ad462b0242e4f23d51111031052a1ebd6a32d22be9cbd8dfb8
- hash: 932b9ec79c782f06b3c8d267af916df41328ddb8235d021ea7f945dc4082d991
- hash: 9cb10407ca3c9e8c1a069ebb4c677d8889117c1bc5206fbf16f47ebb13ef34b9
- hash: a12c84dabaffa868507807c645f7f0769ac848cc575a8c3b42dfb791aa5caeef
- hash: a55bc262c5218c6bdaebcf4618154312ff0540b00c382ab34e805699ce3fcc31
- hash: a670d8818a6efe2919c18c740ef4f3478551b28481d0a1591539be45ceca2171
- hash: a957b5dd5f555be8431df3f35b707c149b83436d19cc3f8bbd867317a6f624b1
- hash: ab3e3a8673ba5da40b325b160a782cf2f03547d9b489e87d9546da35a65d62d6
- hash: b42345567556a01d34daf262f95fdeb02f259271afbea93fb684b9656d14e568
- hash: b8a9533a21127ff5005352d41581c5631598704e220120b623fad16e3ec2ae51
- hash: bedada1c52e9bcceff8c6b542d74518afcce66f955ac6f1ab58aa43b3865fe9f
- hash: bf05b1ace61aeebd251940b40624fe22a345300fc6a53a472357f9586e8e4e57
- hash: bf27c5e2591febe90e52cd99231526a342bc423000fe87cce44ef1c3acaeeab5
- hash: c69acc7364da828f098394b1a6907788d4fd379ed2af7d966e86a2becea4c0ad
- hash: ce4fcb97ada09a42c03c3456c5fe09d805948a95efaf365eb1cd2b4e82013990
- hash: cf5e38d65bef38654080635fcb76890e3e0548626b0598bc8090b18116220389
- hash: cfe33c6faacc824fcb475d450d6ba19316884fad4c85f563a330a86d03ecff0c
- hash: d80daa7b30732b2b71d63a5881a254d12eb0d499a015dc4c98602caa2001d2a3
- hash: db98d087d4cdb2a82096df424f86edea8d4730543a2005f43bede9ffc6123791
- hash: df1b9ec31fa4578dee7668207064de7185798801bb032c715aa24cce7e35bcda
- hash: e24e4c949894b08a66b925b6c55f12d1b3c69adc95b79e99a31315e289d193fc
- hash: f0f4423cd8d5ceafb4e4a18014ff4ed8913021d83bc2c3a973a419b9fe466c19
- hash: fdd4b78aa4e0914f3bcdc2632338ebbd300fdc3f05a3df85a5a3067f97627e45
- ip: 23.27.124.228
- ip: 23.27.140.135
- ip: 23.27.140.228
- ip: 23.27.140.49
- domain: amazonfiso.com
- domain: human-check.com
- domain: illycafe.my
- domain: illycoffee.my
- domain: markethubuk.com
- domain: sictradingc.com
- domain: trustpdfs.com
- domain: zypras.com
North Korean Lazarus Group Now Working With Medusa Ransomware
Description
North Korean state-backed attackers are utilizing Medusa ransomware in their ongoing extortion attacks against the U.S. healthcare sector. The Symantec and Carbon Black Threat Hunter Team discovered evidence of North Korean actors employing Medusa in an attack on a Middle Eastern target and an unsuccessful attempt on a U.S. healthcare organization. Medusa, launched in 2023, operates as a ransomware-as-a-service. The Lazarus sub-group Stonefly has been a key player in North Korean ransomware attacks, using proceeds to fund espionage activities. Despite indictments and rewards, the attacks continue unabated. The current campaign employs various tools, including Comebacker, Blindingcan, ChromeStealer, and RP_Proxy. While the attacks bear similarities to previous Stonefly operations, the exact sub-group responsible remains unclear.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Lazarus Group, a North Korean state-sponsored threat actor, has incorporated Medusa ransomware into its extortion campaigns, particularly targeting the U.S. healthcare sector and Middle Eastern entities. Medusa ransomware, introduced in 2023 as ransomware-as-a-service, allows affiliates to deploy ransomware with modular capabilities. The Stonefly sub-group of Lazarus, known for ransomware attacks funding espionage, is implicated in these operations. The campaign uses a suite of tools including Comebacker (likely for persistence or backdoor access), Blindingcan (a remote access trojan), ChromeStealer (credential theft), and RP_Proxy (proxy tool for network evasion). Techniques observed include credential dumping (Mimikatz), lateral movement, privilege escalation, and exploitation of vulnerabilities, consistent with MITRE ATT&CK techniques such as T1003 (Credential Dumping), T1543 (Create or Modify System Process), and T1486 (Data Encrypted for Impact). The attackers aim to encrypt critical systems to extort ransom payments, which are then used to finance further espionage activities. Despite international law enforcement efforts, including indictments and rewards for Lazarus members, these ransomware campaigns persist. The attacks demonstrate a blend of espionage and financially motivated ransomware tactics, highlighting the evolving threat landscape posed by nation-state actors leveraging ransomware-as-a-service platforms.
Potential Impact
The impact of this threat is significant, particularly for healthcare organizations that rely on continuous availability and confidentiality of sensitive patient data. Successful ransomware deployment can lead to operational disruption, loss of critical healthcare services, exposure of protected health information (PHI), and financial losses due to ransom payments and remediation costs. Beyond healthcare, other sectors in the Middle East and globally may face similar risks. The use of ransomware by a nation-state actor like Lazarus also raises concerns about the dual use of cybercrime for espionage funding, potentially increasing the frequency and sophistication of attacks. Organizations may suffer reputational damage, regulatory penalties, and long-term operational setbacks. The persistent nature of these campaigns despite law enforcement actions indicates a sustained threat that could evolve with new tactics and tools, increasing the risk of widespread disruption and data compromise.
Mitigation Recommendations
Organizations should implement a multi-layered defense strategy tailored to the tactics used by Lazarus and Medusa ransomware affiliates. This includes: 1) Enforcing strict network segmentation to limit lateral movement, especially isolating critical healthcare systems. 2) Deploying advanced endpoint detection and response (EDR) solutions capable of detecting tools like Mimikatz and Blindingcan. 3) Regularly auditing and restricting privileged account usage and implementing multi-factor authentication (MFA) to reduce credential theft impact. 4) Conducting continuous vulnerability management and patching, focusing on known exploited vulnerabilities related to privilege escalation and remote code execution. 5) Monitoring for indicators of compromise related to ChromeStealer and RP_Proxy activity, including unusual proxy or network traffic patterns. 6) Implementing robust backup and recovery processes, ensuring backups are offline and immutable to withstand ransomware encryption. 7) Conducting targeted threat hunting exercises for Lazarus-related TTPs and maintaining updated threat intelligence feeds. 8) Training staff on phishing and social engineering risks to reduce initial infection vectors. 9) Collaborating with industry information sharing groups and government cybersecurity agencies for timely alerts and response coordination. These measures, combined with incident response preparedness, will enhance resilience against this sophisticated ransomware campaign.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.security.com/blog-post/lazarus-medusa-ransomware"]
- Adversary
- Lazarus Group
- Pulse Id
- 699d9c44cde3077f50063a24
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash9acfd35188637ac257b56f7bf0c53b0c | — | |
hashc14935ba8c6abdfa6202df446e8136022f82731e | — | |
hash0842dd5c1f79f313ea08c49d1fb227654c32485b3f413e354dbe47b8a519a120 | — | |
hash15208030eda48b3786f7d85d756d2bd6596ef0f465d9c8509a8f02c53fad9a10 | — | |
hash16d57ff889aab5b8c8a646da99d5a9335177fb4c158191baa1cf199f0e818d3a | — | |
hash18049366331a5f0afd54c2ca84e6ed302e81d58a162673715fee865541d53b11 | — | |
hash202b03d788df6a9d22bbd2cbc01ba9c7b4a9caad0f78a4d420f8c2c30171a08d | — | |
hash313ce75f0f47e2a8fd66120fcbcaa6226fc0c4862b585b8e04850153f97bc4a3 | — | |
hash35a11a68b0ce862bdc7450735237e56cf70156870b0527ec624f0a57076c09c7 | — | |
hash3b8850bad0cb3ebae477b3787844b892bb0e4f7bd9c9e8b507898a726e7e2763 | — | |
hash3e3e0519a154266da1558e324c9097e7c39ccf88f323f2f932f204871d1b91cb | — | |
hash416545b9e844d3d924e162951a8ee885f3885e054a196ccdc659fd9d1f1911a6 | — | |
hash4a702c784eb997a170bea81778a770a86e61c759ff95ca0ad958ceca55c20c7b | — | |
hash52293b53ca5209bc49f009288cf6fc80c9f787c9c735cc06e7dc6fc9fcdaf61d | — | |
hash55cb4a851372237a5ba4bf187e37b0d599f3ffa13ac17464130744614353bd07 | — | |
hash60aaf6c01ba0c15b78902fd4be12c7e5f2323ade8f9db7e9fbbb9ec0c2afc8ba | — | |
hash60b942bbdac625300eeb11cccba5ed44f376634f73d3bc01a17e7a758c570a8e | — | |
hash61c49c8f116cb7118dee613536085cfaa7a59d5f49c36b9ff432be7b8a7f25f0 | — | |
hash61f3b09bcbae2fc2c98ccac7b2a0becdf5ddb28fe6a8b9c679fd574d58f8ca40 | — | |
hash63432828de42e43ea3715157da5439c40e5c371eefd7c1892b25f396c1018cc8 | — | |
hash6428ef885c54b8154bd86a5d849fb8cc8c04f39e72188117119b9e2832b99ee6 | — | |
hash6ad1a57ce20b422b77bab84a8daebf4e7262543742b2fdcbcacde3f7780d9046 | — | |
hash6ba46c392bdc330ceef2aeb984c63c89d673a090dd68d3258e4aa7e20e5c098d | — | |
hash7530323c3976687a329e06bb7b7f95017f2cfd408f6a5261cb2f0c6b6f18f081 | — | |
hash7a22880780c74b212e36ebb871af4af26a620326c456cf96a3dfb1481ee436cc | — | |
hash84168ee4e290690985358dfc497b98a22ef279a01179b93ff4e6c9c5e1ee26e4 | — | |
hash8f6866532abd8400d244d0441be097f8209065ac43d9f864b2a6894f9da2880a | — | |
hash918e2a5a01fdb0ad462b0242e4f23d51111031052a1ebd6a32d22be9cbd8dfb8 | — | |
hash932b9ec79c782f06b3c8d267af916df41328ddb8235d021ea7f945dc4082d991 | — | |
hash9cb10407ca3c9e8c1a069ebb4c677d8889117c1bc5206fbf16f47ebb13ef34b9 | — | |
hasha12c84dabaffa868507807c645f7f0769ac848cc575a8c3b42dfb791aa5caeef | — | |
hasha55bc262c5218c6bdaebcf4618154312ff0540b00c382ab34e805699ce3fcc31 | — | |
hasha670d8818a6efe2919c18c740ef4f3478551b28481d0a1591539be45ceca2171 | — | |
hasha957b5dd5f555be8431df3f35b707c149b83436d19cc3f8bbd867317a6f624b1 | — | |
hashab3e3a8673ba5da40b325b160a782cf2f03547d9b489e87d9546da35a65d62d6 | — | |
hashb42345567556a01d34daf262f95fdeb02f259271afbea93fb684b9656d14e568 | — | |
hashb8a9533a21127ff5005352d41581c5631598704e220120b623fad16e3ec2ae51 | — | |
hashbedada1c52e9bcceff8c6b542d74518afcce66f955ac6f1ab58aa43b3865fe9f | — | |
hashbf05b1ace61aeebd251940b40624fe22a345300fc6a53a472357f9586e8e4e57 | — | |
hashbf27c5e2591febe90e52cd99231526a342bc423000fe87cce44ef1c3acaeeab5 | — | |
hashc69acc7364da828f098394b1a6907788d4fd379ed2af7d966e86a2becea4c0ad | — | |
hashce4fcb97ada09a42c03c3456c5fe09d805948a95efaf365eb1cd2b4e82013990 | — | |
hashcf5e38d65bef38654080635fcb76890e3e0548626b0598bc8090b18116220389 | — | |
hashcfe33c6faacc824fcb475d450d6ba19316884fad4c85f563a330a86d03ecff0c | — | |
hashd80daa7b30732b2b71d63a5881a254d12eb0d499a015dc4c98602caa2001d2a3 | — | |
hashdb98d087d4cdb2a82096df424f86edea8d4730543a2005f43bede9ffc6123791 | — | |
hashdf1b9ec31fa4578dee7668207064de7185798801bb032c715aa24cce7e35bcda | — | |
hashe24e4c949894b08a66b925b6c55f12d1b3c69adc95b79e99a31315e289d193fc | — | |
hashf0f4423cd8d5ceafb4e4a18014ff4ed8913021d83bc2c3a973a419b9fe466c19 | — | |
hashfdd4b78aa4e0914f3bcdc2632338ebbd300fdc3f05a3df85a5a3067f97627e45 | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip23.27.124.228 | — | |
ip23.27.140.135 | — | |
ip23.27.140.228 | — | |
ip23.27.140.49 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainamazonfiso.com | — | |
domainhuman-check.com | — | |
domainillycafe.my | — | |
domainillycoffee.my | — | |
domainmarkethubuk.com | — | |
domainsictradingc.com | — | |
domaintrustpdfs.com | — | |
domainzypras.com | — |
Threat ID: 699e0e19be58cf853b27f362
Added to database: 2/24/2026, 8:46:17 PM
Last enriched: 3/26/2026, 6:05:21 PM
Last updated: 4/9/2026, 2:25:47 AM
Views: 115
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.