The notorious North Korea–linked hacking collective Lazarus Group, long associated with high-profile cyberattacks and ransomware campaigns, appears to have shifted its operational focus. Previously known for distributing ransomware strains such as Maui ransomware and Play ransomware, the group is now reportedly deploying Medusa ransomware in targeted attacks. Recent incidents indicate that victims include organizations in the Middle East and at least one healthcare institution in the United States.
According to research conducted by Symantec and the VMware Carbon Black Threat Hunter Team ( both now a part of Broadcom), a Lazarus-linked subsidiary known as Andariel—also referred to as Stonefly—has been tasked with leveraging the Medusa ransomware strain against selected targets. This subgroup has historically specialized in financially motivated attacks, and its latest campaign suggests a strategic pivot toward ransomware-as-a-service (RaaS)–style operations.
The campaign reportedly began in November 2025 and has already impacted multiple healthcare organizations, including a nonprofit facility dedicated to treating children with autism. Initial ransom demands have averaged around $260,000 USD, with negotiations often escalating the total payout. Such targeting of healthcare providers is particularly concerning, as disruptions can directly affect patient care and critical services.
Some cybersecurity experts believe that Lazarus and its affiliates may now be operating within a broader ransomware syndicate. In this model, cybercriminal groups collaborate under profit-sharing agreements, distributing malware developed by other actors in exchange for a percentage of ransom payments. This arrangement allows groups like Andariel to remain flexible, potentially switching to different ransomware strains if offered a higher commission. As a result, there is no guarantee that Medusa will remain their primary tool throughout the year.
While advances in artificial intelligence have made it easier for attackers to develop sophisticated malware, distributing it effectively has become more challenging due to heightened global law enforcement scrutiny. Agencies such as the Federal Bureau of Investigation have intensified efforts to dismantle ransomware networks. In response, cybercriminal groups are increasingly forming alliances, pooling resources, and sharing profits to sustain operations in an increasingly competitive and closely monitored threat landscape.
Join our LinkedIn group Information Security Community!
