Click here: to donate by Credit Card
Or here: to donate by PayPal
Or by mail to: Free Republic, LLC - PO Box 9771 - Fresno, CA 93794
Thank you very much and God bless you.
Posted on 02/24/2026 5:35:48 PM PST by nickcarraway
New ransomware of choice, same critical targets
North Korea’s Lazarus Group appears to have added another tool to its kit. It has begun using Medusa ransomware in extortion attacks targeting at least one US healthcare organization and an unnamed victim in the Middle East, according to Symantec and Carbon Black threat hunters.
The US healthcare attempt failed, while the Middle East organization was hit with the Medusa strain, the researchers said.
Of the nearly 30 victim organizations listed on the Medusa data-leak site since November 2025, four are healthcare and nonprofit organizations in the US, including a mental health nonprofit and an educational facility for autistic children.
"It is unknown if all these victims were targeted by North Korean operatives or if other Medusa affiliates were responsible for some of these attacks," the security sleuths said in a Tuesday report, noting that the ransom demand over the four-month period averaged $260,000.
Medusa, a ransomware-as-a-service operation run by the Spearwing cybercrime group, has been around since 2023. Affiliates use Medusa's ransomware variants and infrastructure in exchange for a percentage of the extortion payments, and more than 366 attacks have been claimed by Medusa affiliates during its three-year run. Many of these victims operate in critical sectors including medical, education, legal, insurance, technology, and manufacturing, according to a March 2025 security alert from the FBI and the US Cybersecurity and Infrastructure Security Agency (CISA).
Lazarus Group is an umbrella term for North Korean state-sponsored offensive cyber operations that include cryptocurrency theft, extortion attacks, and IT worker scams. It's probably best known for the 2014 Sony Pictures hack and 2017's WannaCry ransomware attack.
One of Lazarus' most prolific subgroups is Andariel (aka Stonefly, Onyx Sleet, and Silent Chollima), which acts as the cyber-arm of North Korea's military intelligence agency, the Reconnaissance General Bureau (RGB). Andariel has previously used Maui and Play ransomware in its intrusions.
The US issued sanctions against Andariel and Lazarus Group in 2019, and in July also sanctioned an alleged member of Andariel, 38-year-old Song Kum Hyok, a North Korean accused of attempting to hack the Treasury Department and posing as an IT worker to collect revenue and secret data for Pyongyang.
A year prior, in July 2024, the US Justice Department charged Rim Jong Hyok, a North Korean national and another alleged Andariel member, for his involvement in a series of ransomware attacks on US hospitals and healthcare providers, defense companies, NASA, and even a Chinese target.
Amazon blocked 1,800 suspected North Korean scammers seeking jobs Nork scammers work the blockchain to steal crypto from job hunters North Korea's Lazarus Group shares its malware with IT work scammers Microsoft blames Medusa ransomware affiliates for GoAnywhere exploits while Fortra keeps head buried None of these efforts, however, has stopped the criminals from pilfering virtual wallets to pad Kim Jong Un's coffers.
The Tuesday report says that the most recent Medusa ransomware attacks are "undoubtedly the work of Lazarus." However, the threat hunters can't definitively say which subgroup is responsible.
"While the TTPs – extortion attacks against the U.S. healthcare sector – are like previous Stonefly attacks, the malware tools used are not exclusive to Stonefly," they wrote. "For example, the Comebacker backdoor has previously been reported to be associated with the Pompilus group (aka Diamond Sleet)."
In its report, the security shop included a long list of file indicators for Medusa ransomware, a custom backdoor and loader called Comebacker that's exclusively associated with Lazarus, a remote access trojan called Blindingcan that's associated with Lazarus, and other malware and suspicious files observed in these campaigns.
"The switch to Medusa demonstrates that North Korea's rapacious involvement in cybercrime continues unabated," the security analysts said. ®
|
|
Click here: to donate by Credit Card Or here: to donate by PayPal Or by mail to: Free Republic, LLC - PO Box 9771 - Fresno, CA 93794 Thank you very much and God bless you. |
Makers and users of Ransomware need to be taken out back and shot.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.