The North Korean Lazarus Group has recently expanded its cyber operations by deploying Medusa ransomware against a target in the Middle East and attempting a breach of a U.S. healthcare provider. This evolution suggests that North Korean state-sponsored actors are increasingly functioning as affiliates for existing ransomware-as-a-service operations instead of relying solely on their own custom-built encryption tools.
Recent investigations by threat intelligence teams have uncovered a direct link between the notorious Lazarus Group and the Medusa ransomware strain, which first surfaced in 2023. This collaboration was evidenced by a successful attack on an organization in the Middle East and a failed attempt to compromise a medical facility within the United States. Medusa operates as a service model, meaning the North Korean hackers are likely working as affiliates for the cybercriminal group Spearwing, which manages the core malware.
The scope of these attacks is particularly concerning given the nature of the organizations targeted. Data from the Medusa leak site indicates that several American non-profits and healthcare entities have been victimized since late 2025, including a mental health organization and a school for children with autism. While it remains unclear if North Korean operatives were behind every one of these specific incidents, the average ransom demand for victims during this period sat at approximately $260,000.
This shift toward using third-party ransomware is part of a broader trend among North Korean hacking clusters. Historically, groups like Andariel used bespoke malware families such as Maui or H0lyGh0st to lock down systems. However, as early as late 2024, these groups began experimenting with off-the-shelf lockers like Play ransomware. This transition allows the hackers to conduct more frequent attacks without the development overhead required for maintaining proprietary code.
Other North Korean units have demonstrated similar tactical changes over the past year. For instance, the group known as Moonstone Sleet previously utilized a unique ransomware family called FakePenny but was recently observed deploying the Qilin ransomware variant against financial institutions in South Korea. These observations confirm that multiple state-aligned groups are moving away from the “in-house” development model in favor of more established and reliable criminal infrastructure.
Security analysts believe these changes signal a significant tactical pivot intended to maximize financial gain while complicating the process of attribution. By operating as affiliates within the existing ransomware-as-a-service ecosystem, North Korean groups can leverage the sophisticated leak sites and negotiation platforms already built by other criminals. This strategy enables them to blend in with general cybercrime traffic, making it harder for defenders to distinguish state-sponsored financial theft from standard criminal extortion.
Source: Lazarus Group Targets U.S. And Middle East Healthcare With Medusa Ransomware