According to a new report by the Symantec and Carbon Black Threat Hunter Team, the Medusa ransomware was used in an attack against an unidentified entity in the Middle East by the North Korea-affiliated Lazarus Group (also known as Diamond Sleet and Pompilus) This article explores group medusa ransomware. . The same threat actors, according to Broadcom's threat intelligence division, were also responsible for an unsuccessful attack against a U.S. healthcare organization.
In 2023, the cybercrime collective Spearwing launched the ransomware-as-a-service (RaaS) operation Medusa. To date, the group has reported over 366 attacks. "Among the victims were an educational institution for children with autism and a non-profit in the mental health field.
It is unclear whether North Korean agents specifically targeted each of these victims or whether some of these attacks were carried out by other Medusa affiliates. During that time, the average ransom demand was $260,000.There is precedent for North Korean hacker groups using ransomware. Back in 2021, a Lazarus sub-cluster known as Andariel (also known as Stonefly) was seen using custom ransomware families like SHATTEREDGLASS, Maui, and H0lyGh0st to target organizations in South Korea, Japan, and the United States.
The hacking team then switched to using an off-the-shelf locker to encrypt victim systems and demand a ransom when they were connected to a Play ransomware attack in October 2024.
However, Andariel is not the only one switching from custom ransomware to a pre-existing version. Bitdefender disclosed last year that a different North Korean threat actor, Moonstone Sleet, which had previously released the FakePenny family of custom ransomware, had most likely used Qilin ransomware to target multiple South Korean financial institutions. The company told ZeroOwl that these changes may indicate a tactical shift among North Korean hacking groups, where they are functioning as affiliates for well-established RaaS groups rather than creating their own tools.
Dick O'Brien, principal intelligence analyst for the Symantec and Carbon Black Threat Hunter Team, stated, "The motivation is most likely pragmatism." "When you can use a tried-and-true threat like Medusa or Qilin, why take the time to create your own ransomware payload?
In terms of affiliate fees, they might have determined that the advantages outweigh the disadvantages.RP_Proxy, a specially designed proxy tool called Mimikatz, and a publicly accessible credential dumping program are some of the tools used in the Lazarus Group's Medusa ransomware campaign. Previously discovered to be used in conjunction with Comebacker BLINDINGCAN (also known as AIRDRY or ZetaNile), a remote access trojan ChromeStealer, a tool for recovering stored passwords from the Chrome browser, Comebacker is a custom backdoor that is only utilized by the threat actor InfoHook. Although the extortion attacks are similar to earlier Andariel attacks, the activity has not been linked to any particular Lazarus sub-group.
According to the company, "the move to Medusa shows that North Korea's rapacious involvement in cybercrime continues unabated."
"North Korean actors seem unafraid to target American organizations. Although some cybercriminals assert that they avoid targeting healthcare organizations because of the potential harm to their reputation, Lazaurs appears to be unconstrained in any way.
