The Lazarus Group, also known as Diamond Sleet and Pompilus, has been linked to a recent cyberattack in the Middle East utilizing the Medusa ransomware, as reported by the Symantec and Carbon Black Threat Hunter Team.
Reports indicate that the same threat actors attempted an attack on a healthcare organization in the U.S. The Medusa ransomware is a ransomware-as-a-service operation launched by a cybercrime group called Spearwing in 2023, with over 366 attacks attributed to them.
According to Broadcom’s threat intelligence division, the Medusa leak site shows attacks on multiple organizations, including non-profits and educational facilities, with an average ransom demand of $260,000.
North Korean hacking groups, such as Lazarus, have a history of using ransomware in their attacks. In the past, Lazarus sub-groups like Andariel have targeted entities in South Korea, Japan, and the U.S. with custom ransomware families.
More recently, North Korean threat actors have been observed using off-the-shelf ransomware variants like Medusa and Qilin, indicating a shift in tactics towards affiliating with established ransomware-as-a-service groups.
Dick O’Brien from the Symantec and Carbon Black Threat Hunter Team suggests that the shift to using existing ransomware variants like Medusa is a pragmatic decision for North Korean hacking groups, as it saves them the effort of developing their own tools.
The Medusa ransomware campaign by Lazarus Group involves the use of various tools such as RP_Proxy, Mimikatz, Comebacker, InfoHook, BLINDINGCAN, and ChromeStealer.
Despite the similarities to previous Andariel attacks, the specific Lazarus sub-group behind the Medusa campaign remains unidentified.
Overall, the use of ransomware by North Korean threat actors like Lazarus Group showcases their continued involvement in cybercrime, with little regard for the organizations they target.
