115/69 Thursday, February 25, 2026
A recent report from Symantec’s Threat Hunter Team and Carbon Black highlights a concerning shift in tactics by the state-sponsored Lazarus Group. The group, historically known for cyber espionage operations, is increasingly focusing on financial gain by deploying the Medusa ransomware against healthcare and social service organizations worldwide. By collaborating within a Ransomware-as-a-Service (RaaS) ecosystem, Lazarus is able to disguise its operations as those of ordinary cybercriminal gangs, making attribution and law enforcement response significantly more challenging.
Lazarus’ attack chain is methodical and multi-staged. The Medusa ransomware payload is deployed only in the final phase, after full control of the target network has been established. The attackers first disable security defenses using specialized tools, then deploy backdoors such as Blindingcan to maintain long-term persistence. Credential theft tools are used to harvest passwords, and sensitive data is identified and exfiltrated to attacker-controlled servers. Listings on the Medusa leak site reveal numerous victims whose stolen data has been published or held for ransom, ranging from transportation companies to local government entities. Reported ransom demands vary from hundreds of thousands to several million U.S. dollars.
Particularly alarming is the group’s focus on socially vulnerable institutions, including mental health centers and schools for children with special needs. Cybersecurity experts describe this as a ruthless strategy leveraging “emotional pressure” to force victims into paying quickly. The average ransom demand is reportedly around $260,000-an amount small enough that many smaller organizations may feel compelled to pay in order to restore operations. This development signals that even smaller entities, once considered unlikely targets for state-linked threat actors, must urgently strengthen their cybersecurity posture. The line between state-sponsored espionage and financially motivated cyber extortion is increasingly blurred.
Source https://hackread.com/north-korean-lazarus-group-medusa-ransomware/
