A state-sponsored hacking group linked to North Korea has been observed using a new ransomware variant in attacks against organizations in the Middle East and the United States. The Lazarus Group, also tracked as Diamond Sleet, employed Medusa ransomware in a successful breach of an unnamed entity in the Middle East, according to a joint report from the Symantec and Carbon Black Threat Hunter Team, part of Broadcom’s threat intelligence division.

The same report indicates the group attempted, but failed, to deploy the ransomware against a healthcare organization in the U.S. This activity underscores the group’s continued expansion of its cybercrime toolkit beyond its traditional focus on cryptocurrency theft and espionage.

Expanding Criminal Arsenal

For years, the Lazarus Group has been a primary cyber threat actor for the Democratic People’s Republic of Korea (DPRK), heavily involved in financial theft to fund the regime. Their operations have famously included the 2014 Sony Pictures hack, the WannaCry ransomware outbreak, and numerous attacks on cryptocurrency exchanges. The adoption of Medusa ransomware represents a tactical shift, incorporating a more conventional extortion model into their activities.

Medusa is a ransomware-as-a-service (RaaS) operation that has been active since 2021. It allows affiliates to use its malware in exchange for a share of the ransom payments. The ransomware is known for its double-extortion tactics, where attackers steal sensitive data before encrypting files. They then threaten to publish the stolen information if the ransom is not paid.

Technical Details and Attribution

Analysts from Broadcom’s team identified several technical links between the recent attacks and known Lazarus infrastructure and tools. The attackers used bespoke malware loaders, which are small programs designed to discreetly install malicious software, that have been exclusively associated with the group in the past. Furthermore, command and control servers used in the campaign were linked to previous Lazarus operations.

The use of a commercially available ransomware like Medusa is a notable development. It suggests the group is willing to leverage tools developed by other cybercriminals to achieve its goals, potentially increasing the speed and scale of its attacks. Security researchers note this blurs the lines between nation-state activity and organized cybercrime.

Implications for Global Cybersecurity

The targeting of a healthcare organization in the U.S., even if unsuccessful, raises significant concerns. The healthcare sector is often considered critical infrastructure and is a frequent target for ransomware gangs due to the sensitive nature of its data and the urgent need for operational continuity. An attack on such a facility can have direct consequences for patient safety.

The incident in the Middle East highlights the group’s global reach. While the identity of the victim was not disclosed, entities in the region have historically been targets for espionage and disruptive cyber operations linked to various state actors. The successful encryption of systems indicates the attack bypassed existing security measures.

Official Responses and Mitigation

Cybersecurity agencies, including the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI, have repeatedly issued advisories on ransomware threats and the tactics of North Korean state-sponsored actors. These agencies recommend robust defense strategies, including network segmentation, regular offline backups, prompt patching of software vulnerabilities, and user training to recognize phishing attempts, a common initial attack vector.

Organizations are advised to treat any ransomware incident as a potential data breach, given the prevalence of data theft prior to encryption. Engaging with law enforcement early in an incident is also a standard recommendation.

Looking ahead, security analysts expect the Lazarus Group and affiliated threat actors to continue refining their ransomware operations. The financial success of such campaigns, combined with the relative anonymity of cryptocurrency payments, provides a powerful incentive. The cybersecurity community is monitoring for further adoption of RaaS platforms by nation-state groups and an increase in cross-over tactics between different threat actor categories. Continued international cooperation and public-private information sharing are considered vital to disrupting these financially motivated, state-aligned operations.

Source: Symantec Threat Hunter Team Report