Overview
- Symantec and the Carbon Black Threat Hunter Team linked recent Medusa-based extortion activity to North Korea’s Lazarus umbrella after analyzing multi-stage intrusions.
- Investigators observed a successful Medusa deployment against a victim in the Middle East and an unsuccessful attempt against a U.S. healthcare organization.
- Medusa’s leak site has listed four U.S. healthcare and nonprofit victims since November 2025, with average ransom demands around $260,000, including a mental-health nonprofit and a school for autistic children.
- The campaigns combine Lazarus-associated tools such as Comebacker, Blindingcan, Infohook, and RP_Proxy with commodity utilities like Mimikatz, ChromeStealer, and Curl.
- Medusa operates as a ransomware-as-a-service run by the Spearwing group, with more than 366 claimed attacks since 2023, while attribution to a specific Lazarus subgroup remains unresolved despite overlaps with Andariel/Stonefly and Diamond Sleet.