CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Lazarus Group Linked to Medusa Ransomware Attacks on U.S. Healthcare

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

North Korean state-backed hackers from the Lazarus group are targeting U.S. healthcare organizations and entities in the Middle East with Medusa ransomware in financially motivated extortion attacks. The Medusa ransomware-as-a-service (RaaS) operation has impacted over 366 organizations since its launch in 2023, with at least four additional healthcare and non-profit organizations in the U.S. targeted since November 2025. This is the first time Lazarus has been linked to Medusa ransomware, though they have been associated with other ransomware strains. The attacks use a toolset that includes both custom and commodity tools, some of which are linked to another North Korean group, Diamond Sleet. The average ransom recorded in these attacks is $260,000, which is reportedly used to fund espionage operations against defense, technology, and government sectors in the U.S., Taiwan, and South Korea. Symantec has provided indicators of compromise (IoCs) to help defenders prevent these attacks. The Stonefly sub-group of Lazarus, also known as Andariel, has been involved in ransomware operations for the past five years. Rim Jong Hyok, an alleged Stonefly member, was indicted by the US Justice Department for ransomware campaigns targeting US hospitals and healthcare providers. The US Justice Department announced a $10m reward for information related to Rim Jong Hyok.

Timeline

  1. 24.02.2026 13:52 2 articles · 1d ago

    Lazarus Group targets Middle East and U.S. healthcare with Medusa ransomware

    The article provides additional details on the Lazarus Group's use of Medusa ransomware, including the involvement of the Stonefly sub-group and the indictment of Rim Jong Hyok by the US Justice Department. It also details the tools used in recent campaigns and the impact of ransomware proceeds on espionage operations.

    Show sources
    Open in new tab
  2. 24.02.2026 13:00 3 articles · 1d ago

    Lazarus Group Linked to Medusa Ransomware Attacks on U.S. Healthcare

    The article confirms the involvement of the Lazarus Group in Medusa ransomware attacks, targeting U.S. healthcare organizations and entities in the Middle East. It also highlights the use of a toolset that includes both custom and commodity tools, some of which are linked to another North Korean group, Diamond Sleet. The average ransom recorded in these attacks is $260,000, which is reportedly used to fund espionage operations against defense, technology, and government sectors in the U.S., Taiwan, and South Korea.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

New Vect RaaS Group Targets Organizations in Brazil and South Africa

A new ransomware-as-a-service (RaaS) group named Vect has emerged, targeting organizations in Brazil and South Africa. The group, which began recruiting affiliates in December 2025, uses custom-built C++ malware with ChaCha20-Poly1305 AEAD encryption and intermittent encryption techniques. Vect operates with a high level of maturity, offering cross-platform ransomware targeting Windows, Linux, and VMware ESXi, and employs strong operational security measures. The group has already claimed two victims and operates a double extortion model. Vect's malware is notable for its speed and disruption capabilities, and the group's infrastructure is exclusively hosted on TOR hidden services. Initial access is likely achieved through exposed RDP/VPN, stolen credentials, phishing, or vulnerability exploitation.

Open in new tab

Ransomware Evolution in 2025: Psychological Extortion and Targeted Attacks

In 2025, ransomware operations evolved significantly, shifting from mere file encryption to sophisticated extortion campaigns that leverage stolen data, legal liability, and psychological pressure. The decentralization of ransomware groups, combined with collaborative tactics, has made attribution and disruption more challenging. Threat actors now target SMBs in high-regulation regions, exploiting regulatory frameworks to amplify the impact of data leaks. The psychological manipulation in ransom notes has become more sophisticated, using tactics such as perceived omniscience, artificial time pressure, and legal fear to coerce victims into paying ransoms.

Open in new tab

Ransomware payment rates decline to 23% in Q3 2025

Ransomware payment rates have dropped to 23% in Q3 2025, a new low. This decline is attributed to improved defenses and increased pressure from authorities not to pay. Ransomware groups are adapting by targeting medium-sized firms and focusing on data exfiltration. The average and median ransom payments also decreased to $377,000 and $140,000, respectively. The shift in payment rates and tactics reflects a broader trend of organizations strengthening their defenses and recognizing the value of investing in cybersecurity rather than paying ransoms. This trend is expected to continue as ransomware groups seek more profitable targets.

Open in new tab

Velociraptor DFIR Tool Abused in LockBit and Babuk Ransomware Campaigns

Threat actors, assessed to be China-based Storm-2603, have started using the Velociraptor digital forensics and incident response (DFIR) tool in ransomware attacks deploying LockBit and Babuk ransomware. The attackers exploited a privilege escalation vulnerability in an outdated version of Velociraptor to gain persistent access and control over virtual machines. The campaign involved creating local admin accounts, disabling security features, and using fileless PowerShell encryptors for data exfiltration and encryption. The ransomware deployed on Windows systems was identified as LockBit, while a Linux binary detected as Babuk ransomware was found on VMware ESXi systems. Storm-2603 initially exploited SharePoint vulnerabilities in July 2025 and deployed Warlock, LockBit, and Babuk ransomware on VMware ESXi servers in August 2025. Sophos CTU researchers first documented Velociraptor abuse by Storm-2603 on August 5, 2025. Storm-2603 used the ToolShell exploit to gain initial access and deployed an outdated version of Velociraptor (version 0.73.4.0) that is susceptible to a privilege escalation vulnerability (CVE-2025-6264) to enable arbitrary command execution and endpoint takeover. The group also used Smbexec to remotely launch programs using the SMB protocol and modified Active Directory (AD) Group Policy Objects (GPOs) to disable real-time protection. Storm-2603 established the infrastructure for the AK47 C2 framework in March 2025 and created the first prototype of the tool the next month. The group pivoted from LockBit-only deployment to dual LockBit/Warlock deployment in April 2025 and used the ToolShell exploit as a zero-day in July 2025. Storm-2603 demonstrated operational flexibility and sophisticated builder expertise using leaked and open-source ransomware frameworks. In a recent breach, SmarterTools confirmed that the Warlock ransomware gang breached its network on January 29, 2026, via a single SmarterMail virtual machine (VM) set up by an employee. The vulnerability exploited in the attack to gain access is CVE-2026-23760, an authentication bypass flaw in SmarterMail before Build 9518, which allows resetting administrator passwords and obtaining full privileges. The attackers moved laterally from that one vulnerable VM via Active Directory, using Windows-centric tooling and persistence methods. The ransomware operators waited roughly a week after gaining initial access, the final stage being encryption of all reachable machines. Sentinel One security products reportedly stopped the final payload from performing encryption, the impacted systems were isolated, and data was restored from fresh backups. Tools used in the attacks include Velociraptor, SimpleHelp, and vulnerable versions of WinRAR, while startup items and scheduled tasks were also used for persistence. ReliaQuest reported that Storm-2603 chains CVE-2026-23760 access with the software’s built-in 'Volume Mount' feature to gain full system control. ReliaQuest also saw probes for CVE-2026-24423, another SmarterMail flaw flagged by CISA as actively exploited by ransomware actors, although the primary vector was CVE-2026-23760.

Open in new tab

North Korean Hackers Steal $2 Billion in Cryptocurrency in 2025

North Korean hackers have stolen approximately $2.02 billion in cryptocurrency in 2025, the highest annual total recorded. This theft is part of a broader campaign to fund nuclear weapons development. The largest single heist was the Bybit hack in February, which accounted for $1.5 billion. The tactics used by these hackers have evolved to include more sophisticated laundering techniques and a shift towards targeting individuals and exchange employees through social engineering. The 2025 total so far is triple last year’s figure and beats 2022’s record of $1.35bn, which came on the back of attacks against Ronin Network and Harmony Bridge. The total amount stolen by North Korean hackers since 2017 exceeds $6.75 billion. Other notable breaches include LND.fi, WOO X, Seedify, and BitoPro. The Lazarus Group stole an estimated $11 million from BitoPro. The actual stolen amount may be higher due to difficulties in attribution and unreported incidents. Recently, five individuals pleaded guilty to aiding North Korea's illicit revenue generation schemes, including remote IT worker fraud and cryptocurrency theft. The U.S. authorities seek the forfeiture of $15 million in cryptocurrency from heists carried out by the APT38 threat group, which is linked to the Lazarus hacking group.

Open in new tab