Listen to this Post
The cybersecurity landscape is witnessing a sharp uptick in ransomware activity, with North Korean state-backed hackers making headlines once again. The latest wave, powered by the Medusa ransomware, is striking at US healthcare institutions and select international targets, raising alarms over the continuing exploitation of critical sectors. Despite recent indictments and international pressure, these cyber actors remain relentless, leveraging sophisticated tools and ransomware-as-a-service (RaaS) platforms to infiltrate organizations and demand hefty ransoms.
Medusa Ransomware on the Rise
Medusa, operated by the Spearwing cybercrime group, surfaced in 2023 as a RaaS platform, enabling affiliates to deploy ransomware in exchange for a share of the ransom. Since its launch, Medusa has been involved in over 366 confirmed incidents. According to Symantec and Carbon Black Threat Hunter Team researchers, the malware was recently deployed against a Middle Eastern target, and an attempted breach of a US healthcare organization was detected but unsuccessful.
Analysis of Medusa’s leak site shows that at least four US healthcare and non-profit entities, including a mental health nonprofit and a school serving autistic children, were listed as victims since November 2025. Ransom demands during this period averaged around $260,000, highlighting the high stakes involved in these attacks.
Ties to the Lazarus Group
Investigators broadly link the Medusa campaigns to the Lazarus Group, a North Korean state-sponsored cyber umbrella organization. The specific sub-groups responsible remain unclear, but Stonefly (also known as Andariel) has been central to ransomware operations over the past five years. Initially considered focused solely on espionage, Stonefly’s pivot to financially motivated attacks became public in July 2025 following the US Justice Department’s indictment of Rim Jong Hyok, allegedly affiliated with North Korea’s Reconnaissance General Bureau (RGB). Authorities offered a $10 million reward for information about him.
The indictment revealed that ransomware proceeds were funneled into espionage operations targeting defense, technology, and government entities in the US, Taiwan, and South Korea. Even after the indictment, three US organizations faced intrusion attempts in October 2024, underscoring that North Korean cyber operations continue unabated.
Tools Behind Recent Campaigns
The latest campaigns are marked by a diverse arsenal of malware and utilities, including:
Blindingcan: Remote access Trojan
ChromeStealer: Credential-stealing tool
Curl: Command-line utility used for automation
Infohook: Data-stealing malware
RP_Proxy: Custom proxy tool
While these tactics mirror prior Stonefly operations, researchers caution that these tools are not exclusive to one sub-group, making attribution challenging. Symantec noted, “The switch to Medusa demonstrates that North Korea’s rapacious involvement in cybercrime continues unabated. North Korean actors appear to have few scruples about targeting organizations in the US.”
Unlike some cybercrime outfits that avoid healthcare targets due to reputational risk, Lazarus appears unconstrained, willing to target the most sensitive sectors without hesitation.
What Undercode Say:
Medusa ransomware’s rise highlights a worrying evolution in North Korea’s cyber strategy. Originally known for espionage-focused operations, sub-groups like Stonefly are increasingly monetizing attacks to fund their intelligence campaigns. This dual approach—financial gain and strategic espionage—demonstrates a sophisticated and resilient cyber ecosystem, capable of adapting quickly to law enforcement interventions.
The targeting of healthcare and non-profit sectors is particularly concerning. These organizations often hold sensitive patient data and lack advanced cybersecurity defenses, making them prime targets for ransomware. The average ransom demand of $260,000 signals a calculated effort to exploit organizations with limited budgets while maximizing financial return.
North Korea’s continued use of RaaS platforms like Medusa indicates a growing decentralization of their cyber operations. Affiliates can now deploy malware independently, amplifying attack volumes while obfuscating state involvement. This not only complicates attribution but also exponentially increases the risk to US critical infrastructure.
The combination of sophisticated malware tools—Blindingcan, ChromeStealer, Infohook, and RP_Proxy—reflects a tactical shift. These tools are versatile, enabling reconnaissance, credential theft, and persistence within networks, which supports both short-term financial objectives and long-term intelligence-gathering goals.
Furthermore, the international dimension, with attempted attacks in the Middle East, underscores the global scope of Lazarus operations. This demonstrates a strategic patience and willingness to exploit vulnerabilities wherever they exist, signaling that no region is immune.
The indictment of Rim Jong Hyok and the $10 million bounty suggest an increased focus by US authorities on individual accountability. However, the ongoing attacks indicate that North Korean cyber campaigns are resilient and highly organized, capable of continuing even when key operatives are publicly targeted.
Healthcare organizations must consider this a wake-up call. Beyond traditional ransomware defenses, a proactive, multi-layered security posture is essential, including real-time threat hunting, endpoint detection, and rapid incident response capabilities. Awareness and preparedness remain the best defense against a threat actor that shows little hesitation in targeting critical and sensitive sectors.
Fact Checker Results:
✅ Medusa ransomware has been involved in over 366 incidents since 2023, according to Symantec and Carbon Black.
✅ Lazarus Group and its sub-group Stonefly have confirmed ties to North Korean state-backed ransomware campaigns.
✅ US healthcare and non-profit organizations were targeted, with ransom demands averaging $260,000.
Prediction:
🚨 The Medusa ransomware threat will likely intensify in 2026, with North Korean-backed groups expanding both in scope and sophistication. Healthcare and educational institutions will remain high-value targets, while RaaS platforms may enable smaller affiliates to launch attacks globally. Organizations ignoring proactive cybersecurity measures risk severe financial and operational impacts.
If you want, I can also create a visual timeline of Medusa attacks and Lazarus operations for 2023–2026 to make the article even more engaging and easy to digest. Do you want me to do that?
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: www.infosecurity-magazine.com
Extra Source Hub (Possible Sources for article):
https://www.facebook.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
