The infamous Lazarus Group, associated with North Korea, has recently been identified using Medusa ransomware in a cyber attack targeting an unspecified entity in the Middle East. This revelation comes from a report by the Symantec and Carbon Black Threat Hunter Team, highlighting the group’s continued influence in global cyber threats.
Expansion of Medusa Ransomware
The attack in the Middle East is part of a broader strategy by the Lazarus Group, also known by aliases such as Diamond Sleet and Pompilus. Broadcom’s threat intelligence division has noted a parallel attempt by the same actors to infiltrate a healthcare organization in the United States, which was ultimately unsuccessful. Medusa, launched by the Spearwing group in 2023, operates as a ransomware-as-a-service (RaaS), and has been linked to over 366 attacks thus far.
An analysis of the Medusa leak site has unveiled assaults on four U.S.-based organizations, including those in the healthcare and non-profit sectors, over the past months. These attacks included a mental health non-profit and an educational institution for autistic children. It remains unclear if these U.S. targets were specifically chosen by North Korean operatives or if other affiliates of Medusa were responsible. The average ransom demand reported during this period was approximately $260,000.
Historical Context and Tactical Shifts
The use of ransomware by North Korean groups is not a new phenomenon. Since 2021, a Lazarus sub-group known as Andariel, or Stonefly, has targeted nations like South Korea, Japan, and the U.S. with custom ransomware families such as SHATTEREDGLASS and H0lyGh0st. In October 2024, the group transitioned to using an off-the-shelf ransomware variant named Play, further demonstrating a shift in their operational tactics.
Similarly, another North Korean threat actor, Moonstone Sleet, previously deployed a custom ransomware called FakePenny but has since targeted South Korean financial institutions with Qilin ransomware. These developments suggest a strategic move towards collaborating with established RaaS providers rather than creating proprietary tools.
Implications and Future Outlook
According to Dick O’Brien, principal intelligence analyst at Symantec and Carbon Black, the decision to adopt RaaS models like Medusa is likely driven by efficiency. Utilizing established ransomware allows these groups to minimize the effort involved in developing new threats, potentially increasing their operational success.
The Lazarus Group’s Medusa campaign employs a variety of tools including RP_Proxy, Mimikatz, and ChromeStealer, among others. Despite the sophisticated nature of these operations, no specific sub-group within Lazarus has been definitively linked to the Medusa attacks, though similarities to previous Andariel tactics are evident.
The ongoing use of Medusa ransomware underscores the relentless nature of North Korean cyber activities, particularly against U.S. targets. While some cybercriminal organizations avoid healthcare targets due to potential reputational damage, Lazarus appears to operate without such constraints, reflecting their aggressive and opportunistic approach to cybercrime.
