New findings from the Symantec and Carbon Black threat hunter team indicate that the Lazarus Group, a North Korean state-sponsored actor, has begun utilizing Medusa ransomware in its operations. Recent activity identified by researchers includes the deployment of Medusa against an organization in the Middle East and an attempted intrusion affecting a healthcare entity in the United States.
This development highlights a continued trend where state-affiliated groups engage in financially motivated activity alongside traditional espionage. The target in the Middle East was identified as a large commercial enterprise without apparent strategic intelligence value, suggesting the primary objective was revenue generation.
The Medusa ransomware operation transitioned to a Ransomware-as-a-Service (RaaS) model in 2024, expanding its reach by allowing affiliate groups to utilize its infrastructure. This model appears to suit the Lazarus Group, which has a documented history of targeting critical infrastructure and engaging in cryptocurrency theft.
Attribution and Subgroup Indicators
Determining the specific unit within the Lazarus collective responsible for these incidents presents a challenge due to mixed technical indicators. The observed tactics, techniques, and procedures (TTPs) align closely with a subgroup tracked as Stonefly (also known as Andariel), which has previously targeted the energy and healthcare sectors.
However, the malware toolset deployed in these incidents introduces ambiguity. Researchers identified the use of "Comebacker," a backdoor and loader previously associated with a different Lazarus subgroup known as Diamond Sleet (or Zinc). This blending of TTPs from Stonefly and tools linked to Diamond Sleet confirms the activity originates from the broader North Korean state apparatus, though the precise operating unit remains difficult to isolate.
Technical Analysis and Toolset
In addition to the Medusa ransomware payload, the analysis revealed a suite of tools consistent with Lazarus Group methodologies. The threat actors deployed Blindingcan, a remote access tool (RAT) frequently linked to North Korean activity, and Infohook, an information stealer.
Notable by its absence was the use of specific defense evasion techniques often associated with Medusa affiliates. The Medusa operation is known for employing the "Bring Your Own Vulnerable Driver" (BYOVD) technique, where operators introduce legitimate but vulnerable drivers to disable endpoint detection and response (EDR) solutions.
Dick O’Brien, principal intelligence analyst for the threat hunter team, noted that while Medusa affiliates often use EDR-disabling tools, the researchers did not observe evidence of vulnerable drivers or similar evasion tools in these specific Lazarus-led incidents.
Defensive Considerations
Despite the absence of BYOVD in this specific campaign, security teams should remain aware of the capability within the broader Medusa ecosystem. Effective defense against this technique involves strictly monitoring for privilege escalation attempts, which are required to install drivers, and maintaining blocklists for known vulnerable drivers.
The continued focus on healthcare and critical infrastructure by financially motivated state actors emphasize the need for strong segmentation and monitoring. Indicators of compromise (IOCs), including file hashes for the identified malware and associated network indicators, are available in the Symantec protection bulletin to assist organizations in updating their detection logic.