In recent months, the cyber threat from the North Korean State has taken a particularly worrying turn: a subgroup linked to the well-known Lazarus collective has begun to use the Medusa Ransomware against health organizations in the United States, in operations whose main objective is economic extortion. This news not only confirms the continuity of North Korean-label criminal campaigns, but also shows how these actors mix sophisticated techniques with public tools and "Ransomware as a service" services to maximize their impact.
Jellyfish is not a new family: appeared as operation RaaS in early 2021 and, over time, has committed hundreds of organizations in critical sectors. The important thing now is that security researchers have identified technical and tactical overlaps that point to the participation of a group within the umbrella of Lazarus - with possible connections to subgroups known in the community as Andariel or Stonefly - in attacks directed at health providers in the US. United States. If you want to read the technical report of the analysts who document these coincidences, you can review the entry published by Symantec on their company blog: Symantec Enterprise Blogs.
Researchers note that, along with the use of Medusa, attackers resort to a mix of utilities and backdoors: from credentials robbers for browsers and credentials overturning tools to remote access malware and custom proxys. Although many of these pieces are "commodity" - that is, available or reused by many groups - the combination and the use sequence help analysts draw relationships between incidents and attribute activity with greater confidence.
The financial impact also draws a pattern. Medusa's operations have recorded average bailouts of around $260,000, a significant figure when considering the scale and frequency of intrusions. Several previous government investigations and actions have documented how the gains from illicit cyber operations have been used to finance North Korean state activities, making these campaigns more than just economic crimes: they are sources of financing with possible geopolitical implications.
But beyond money, what concerns the security community and hospital administrators is the deliberate choice of target. Health care is a critical sector where interruption can put lives at risk; however, analysts stress that these groups do not show scruples in attacking hospitals or other sensitive services, even though such targets often generate intense public rejection. In the researchers' words, the transition to extortion pieces like Medusa evidence that the involvement of North Korean actors in cybercrime remains intense and with few ethical barriers.
If you are looking for accessible media coverage of this discovery, specialized media have published summaries that link to the original technical work and provide context about the victims and the evolution of Medusa: for example, you can see the note published in BleepingComputer: BleepingComputer on Lazarus and Medusa.
At the practical level, response team reports insist that organizations review commitment indicators (IoC) and detection procedures published by suppliers and government bodies, because early detection can avoid the encryption phase and the resulting data loss. Agencies such as the CISA offer general guides and resources on how to prepare for ransomware and respond to incidents; they are good references for operations teams and security officials: CISA - Ransomware. In addition, the FBI maintains material and recommendations on the threat of the ransomware on its site: FBI - Ransomware.
This new phase of state-of-the-art criminal activism leaves several clear lessons for the health sector and for any critical organization. The first is that exposure does not depend only on being "a technological company": health institutions live with networks of suppliers, connected medical devices and personnel handling sensitive information, which extends the attack surface. The second lesson is that the mix of commercial tools and publicly available code with customised developments makes attribution difficult, but does not make it impossible; the careful correlation of telemetry is what allows intelligence teams to link campaigns to specific actors.
In short, we are facing a scenario in which state-backed actors use the cybercrime business model - Ransomware in RaaS mode - to obtain resources, differentiate their arsenal and maintain pressure on sectors that could previously be considered "untouchable" for reputational reasons. The recommendation for any security officer is not to underestimate the threat: to update inventories, strengthen access controls, validate backup and work with intelligence teams to incorporate IoC and detection rules in the defence. Technical reports such as those published by detection and response teams, and notices from national agencies, should be used as an operational road map to reduce the exposure window and potential damage.
Safety alert Drug critical vulnerability of SQL injection in PostgreSQL requires immediate update
Drucal has published safety updates for a vulnerability qualified as "highly critical" which affects Drumal Core and allows an attacker to achieve arbitrary SQL injection in sit...
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...