North Korean actors linked to Medusa ransomware attacks on US healthcare

Researchers report that a North Korean state-aligned threat cluster has deployed Medusa ransomware against healthcare and nonprofit targets in the United States.

What happened

North Korean state-backed cyber actors have been linked to multiple ransomware attacks using the Medusa strain against US healthcare organizations and nonprofit entities. According to The Hacker News, investigators found activity consistent with the Lazarus Group, a name used for threat actors associated with North Korea’s Reconnaissance General Bureau. Since November 2025, at least four US healthcare-related victims and one organization in the Middle East have been reportedly targeted. Medusa operates as a ransomware-as-a-service model, in which core developers supply the malware and infrastructure while affiliates carry out attacks in exchange for a share of ransom payments. Victims are subjected to double extortion, meaning their data is encrypted and stolen, with threats to publish or sell the information if payment is refused.

Going deeper

Medusa emerged in 2023 as a ransomware operation that uses affiliates to deploy its file-encrypting malware across targeted organizations. Ransomware locks files so they cannot be accessed without a decryption key, disrupting clinical and administrative systems in healthcare environments. The group also uses double extortion, meaning it steals sensitive data before encryption and threatens to leak it if payment is not made. Investigators have linked the activity to tactics previously associated with Lazarus-aligned actors, including stealing login credentials, moving laterally through networks, and preparing data for exfiltration before launching encryption. Recent ransom demands have reportedly reached the mid-six-figure range, showing a continued financially driven focus.

What was said

Cybersecurity experts said that although some ransomware groups claim they avoid targeting healthcare, that is clearly not the case in this instance, warning that healthcare organizations face the same level of risk as other sectors. “While some ransomware actors profess to having a moral objection to targeting healthcare, it's clearly not the case here with Lazarus,” he said. “The takeaway for healthcare organizations is that they're at the same risk of attack as peers in other sectors.” He advised adopting a defense-in-depth approach, meaning multiple layers of security controls. “If attackers fail to trigger one trip wire, then they may be caught on the next,” he said, adding that organizations should audit all software, apply security updates as soon as possible, maintain strong credentials that are changed frequently, and use multi-factor authentication routinely.

In the know

Reporting from BankInfoSecurity shows that the Lazarus Group is deploying several additional tools in its latest attacks. These include Blindingcan, a remote access trojan that allows attackers to control infected systems; ChromeStealer, which extracts saved passwords from the Chrome browser; Curl, a legitimate command line tool often abused to transfer stolen data; Infohook, designed to steal sensitive information; Mimikatz, a widely known program used to extract login credentials from Windows systems; and RP_Proxy, a custom tool that routes traffic through compromised machines to hide attacker activity.

The big picture

Ransomware monitoring website Ransomware.live counted 518 Medusa victims, including at least 43 in healthcare, since the ransomware-as-a-service group emerged in 2023. The latest healthcare attacks are believed to be linked to North Korean Lazarus actors, with affiliates deploying Medusa in exchange for a percentage of ransom payments. “It's definitely possible that North Korean actors are behind these recent attacks because it conforms with the targeting of healthcare organizations detailed in the 2024 indictment” of Hyok, analysts said, adding, “Only a post-incident investigation at these organizations would confirm for sure.” The report stated that the shift to Medusa shows North Korea's “rapacious involvement” in cybercrime and warned, “North Korean actors appear to have few scruples about targeting organizations in the United States. While some cybercrime outfits claim to steer clear of targeting healthcare organizations due to the reputational damage it may attract, Lazarus doesn't seem to be in any way constrained.”

FAQs

What makes healthcare organizations frequent ransomware targets?

Healthcare entities rely on continuous access to electronic health records, diagnostic systems, and scheduling platforms. Operational disruption creates immediate pressure to restore services, increasing the likelihood of ransom negotiations.

How does ransomware as a service work?

Developers create and maintain the ransomware infrastructure while recruiting affiliates to conduct intrusions. Affiliates share a portion of collected ransom payments with the operators.

Why is Lazarus associated with both espionage and ransomware?

Threat clusters linked to North Korea have historically conducted espionage campaigns, destructive attacks, and financially motivated operations. Revenue from cybercrime has been identified by US authorities as a funding stream for broader state objectives.

What regulatory implications exist for healthcare victims?

Organizations affected by ransomware that involves data exfiltration may have breach notification obligations under federal and state privacy laws, including requirements related to protected health information.

Does state sponsorship change incident response strategy?

Attribution to a state aligned actor can affect law enforcement coordination, intelligence sharing, and risk assessments, however technical containment and recovery steps remain grounded in established incident response practices.