New evidence indicates that the North Korean state-sponsored Lazarus Group has adopted the infamous Medusa ransomware in its extortion attacks, including those against the healthcare and nonprofit sectors.
The Threat Hunter Team from Symantec and Carbon Black says these attacks have been increasing since Medusa’s launch in 2023 as a “ransomware-as-a-service” (RaaS) tool.
The malware, operated by a cybercrime syndicate named Spearwing, has been used in over 360 known attacks, including against critical sectors, where it encrypts data and threatens to publish the data if a ransom is not paid.
Analysis of Medusa’s leak site indicates that recently, attacks have been reported against four US healthcare and nonprofit organizations, with unscrupulous actors demanding an average of hundreds of thousands of dollars.
It is not clear which Lazarus group is responsible for the attacks, but the tools used suggest a sophisticated approach to financially motivated attacks.
This is a worrying change for this state actor, which appears to be emulating the methods of financially motivated ransomware operators looking to make money, highlighting the blurring of the line between nation-state cyber operations and cybercrime.
Maximizing Emotional Leverage
Jason Soroko, Senior Fellow at Sectigo, says: “Striking facilities dedicated to mental health and autistic children demonstrates that these actors prioritize maximum emotional leverage to ensure swift ransom payments. The relatively modest average ransom demand suggests a volume-based approach where threat actors target chronically underfunded sectors that simply cannot afford prolonged operational downtime.”
He says network defenders must recognize that foreign adversaries are no longer solely hunting major enterprises and are actively exploiting the softest targets in the American healthcare ecosystem.
Healthcare is Less Prepared
Healthcare has historically been less prepared for cyber risks than other industries, and attackers are increasingly taking advantage of this, adds James Maude, Field CTO at BeyondTrust.
“The security challenges extend beyond the healthcare providers themselves with almost a third of breaches involving the compromise of third parties. Ransomware, once a rare occurrence in healthcare is now on the top of most providers agenda as legacy remote access solutions provide a quick entry point to land and expand with severe consequences.”
Shift Left, Secure Identities
He says in order to proficiently deal with ransomware and other threats, we must invest in shifting left and think more about securing identities and access to reduce our attack surface and blast radius in the event of compromise, rather than simply thinking post-breach. “Ransomware and other threats are only as effective as the privileges and access they manage to acquire so if we can implement better hygiene, and place emphasis on least privilege, then the threat actors are far less likely to ransomware us in the first place.”
Modern healthcare organizations are also incorporating real-time session monitoring with their security tooling to perform behavioral analytics and generate automated alerts, Maude adds.
“Any anomalous vendor behaviors, such as unusual file exports or unexpected command-line launches, are detected and halted before they can escalate into breaches. By combining least-privilege access controls, granular session recording, and proactive monitoring, healthcare organizations can maintain the critical third-party support they depend on while safeguarding patient data and fortifying their regulatory posture.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.