North Korean state hackers seen using Medusa ransomware in attacks on US, Middle East

Hackers tied to one of North Korea’s most sophisticated state-backed groups have been seen deploying Medusa ransomware in financially-motivated attacks on at least two institutions. 

Cybersecurity experts at Symantec said they saw Medusa attacks launched by members of Lazarus — a well-known North Korean hacking operation housed within the country’s military — against a company in the Middle East and a healthcare organization in the U.S. 

Medusa is operated on the ransomware-as-a-service model, where affiliates can launch attacks using the malware and offer the ransomware’s developers a percentage of the ransom payment. The group emerged in 2023 and has since launched more than 350 attacks, with experts tying them to a larger cybercrime group known as Spearwing. 

Dick O’Brien, principal intelligence analyst atSymantec, noted that North Korean actors were previously seen using ransomware strains like Maui and Play, but this is the first time they had been tracked using Medusa. 

“Maui was reportedly developed by Lazarus themselves, but more recently they seem to have shifted to using ransomware-as-a-service offerings instead,” he said.

U.S. law enforcement agencies raised alarms about North Korea’s use of the Maui ransomware in 2022, warning that the hackers were using it to target U.S. hospitals and healthcare companies.

In 2024, a federal arrest warrant was issued for Rim Jong Hyok, an alleged member of the Andariel Unit within the country’s intelligence agency, the Reconnaissance General Bureau (RGB).

Rim was identified by several U.S. military agencies as the culprit behind several ransomware attacks using the Maui strain that were conducted in 2021 and 2022. At least one of the attacks targeted a hospital in Kansas, where the warrant for Rim’s arrest was issued. The attacks encrypted computers and servers used for medical testing or electronic medical records and disrupted healthcare services at facilities in Kansas, Colorado and other states. 

The FBI said investigators found that Rim and other Andariel actors victimized five healthcare providers, four U.S.-based defense contractors, two U.S. Air Force bases, and the National Aeronautics and Space Administration’s Office of Inspector General. 

U.S. agencies said Rim used the ransoms from the attacks to buy servers that were then used in other cyber espionage hacks against government organizations and customers in the U.S., South Korea and China.

The State Department also offered a reward of $10 million for information about Rim, who the U.S. government said was last known to be in North Korea. 

O’Brien said they could not confirm it but believed the recent ransomware attacks using Medusa were also launched by Andariel, which law enforcement agencies have said is a subgroup within Lazarus. 

Symantec said after the indictment they saw North Korean members of Andariel launch three other financially-motivated attacks in October 2024 on organizations in the U.S., although no ransomware was successfully deployed. That same month, another cybersecurity firm said it saw North Korean actors using the Play ransomware in attacks. 

Symantec was able to attribute the most recent Medusa attacks to North Korea due to the use of custom tools used exclusively by Lazarus, including a backdoor tool, malware and a Chrome browser password extractor. 

The report comes after multiple cybersecurity companies warned over the past two years that there is increasing coordination between nation-states and cybercriminals.

Nation-state groups from Russia, China, North Korea and Iran that were typically involved in espionage or disinformation operations are now deploying ransomware as a way to gain financially from their offensive cyber operations or to provide cover for other cyber objectives. 

Multiple ransomware gangs openly backed Russia at the onset of the Ukraine invasion and Google found former members of the notorious Conti ransomware group repurposed many of their tools for attacks on Ukrainian organizations.

In several cases, ransomware has been used as a cover for Chinese espionage activity. Law enforcement agencies have also seen instances of Iranian government hackers using their official access to later launch financially-motivated attacks as part of an effort to double-dip and moonlight as cybercriminals, monetizing their hacking skills. 

The FBI previously said it witnessed Iranian actors partnering with affiliates of the NoEscape, Ransomhouse and AlphV ransomware operations — eventually taking a percentage of ransom payments.