The Larazus Group has a new partner in crime.
The North Korean nation-state threat group dropped Medusa ransomware in a recent attack on an organization in the Middle East, according to new research from the Symantec and Carbon Black threat hunter team. Lazarus Group actors also attempted an unsuccessful attack on a US healthcare organization.
The researchers didn’t identify either organization or specify the Middle East target’s industrial sector.
Lazarus Group’s embrace of Medusa shows the Democratic People’s Republic of Korea’s (DPRK) “rapacious involvement in cybercrime continues unabated,” the researchers wrote. The attacks are also the latest example of the threat group’s penchant for hitting critical infrastructure targets, most notably healthcare entities.
“While some cybercrime outfits claim to steer clear of targeting healthcare organizations due to the reputational damage it may attract, Lazarus doesn’t seem to be in any way constrained,” the threat hunter team stated in the report.
The Medusa ransomware gang initially started out as a closed operation but expanded in 2024 to a more open ransomware-as-a-service (RaaS) model. Additionally, Medusa actors have hit hundreds of critical infrastructure organizations over the years, making the gang a fitting partner for Lazarus.
Which Lazarus Group Unit Was Behind the Attacks?
Unlike most nation-state advanced persistent threat (APT) groups, Lazarus has long been involved in conventional cybercrime with financially motivated attacks on everything from energy sector organizations to cryptocurrency exchanges. Dick O’Brien, principal intelligence analyst for the Symantec and Carbon Black threat hunter team, says the Middle Eastern organization hit by the Medusa attack is a large business that “doesn’t operate in a strategic sector or seem to possess valuable intellectual property. We believe it was purely financially motivated.”
Partnering with Medusa, therefore, makes sense for Lazarus Group, given its history of ransomware and extortion attacks. However, Carbon Black hasn’t determined which specific arm of Lazarus is behind these latest attacks.
“While the current Medusa ransomware attacks are undoubtedly the work of Lazarus, the blanket designation for North Korean state-sponsored activity, it is unclear which Lazarus sub-group is behind them,” the report stated.
The researchers noted that while the Medusa attacks featured tactics, techniques, and procedures (TTPs) associated with a Lazarus sub-group known as a Stonefly, the additional malware used by the threat actors, including a backdoor known as Comebacker, were previously tied to a different group tracked as Diamond Sleet.
Just the Ransomware, Please
In addition to the Comebacker malware, the Carbon Black’s threat hunter team found evidence of other malware and hacking tools frequented by the Lazarus Group in the two attacks. This includes Blindingcan, a remote access Trojan (RAT) tied to Lazarus, and an infostealer known as Infohook.
However, O’Brien tells Dark Reading that the threat hunter team didn’t find any evidence of Lazarus actors using other Medusa tools or malware besides the payload. The ransomware gang has embraced the bring-your-own-vulnerable-driver (BYOVD) technique, deploying endpoint detection and response (EDR) killers to disable enterprise security defenses.
“We didn’t see any evidence of defense evasion tools being used, such as vulnerable drivers,” he says.
Still, BYOVD has become an increasingly popular tactic among ransomware gangs, and security teams should prepare for such threats. Defenses include blocking vulnerable drivers known to be used by threat actors and monitoring for privilege escalation attempts, which attackers need to introduce drivers into targeted systems.
The threat hunter team’s report included indicators of compromise from the two attacks, such as malicious file indicators, IP addresses, and URLs. In a separate security bulletin, Symantec included other indicators, such as behavior-based signals, which the vendor’s products are now updated to detect and block.
