Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Lazarus-associated Medusa extortion campaign targeting U.S. healthcare organizations

Campaign
First reported
Last updated
Happening score
H score 40
2 unique sources, 2 articles

Summary

Hide ▲

A Lazarus-associated Medusa ransomware campaign is targeting U.S. healthcare organizations, raising the risk of extortion, data encryption, and operational disruption. In the latest reporting, Symantec and the Carbon Black Threat Hunter Team said the attackers used Medusa against a target in the Middle East and unsuccessfully tried to breach a US healthcare organization. The same activity has been tied broadly to North Korea-backed operators, with possible involvement of Andariel/Stonefly and tooling overlap with Diamond Sleet. Medusa’s leak site also listed four US healthcare and non-profit organizations as victims since early November 2025, with an average ransom demand of $260,000.

Related Happenings

Lazarus Group RemotePE long-term observation campaign against financial and cryptocurrency organizations

Campaign
First: 25.05.2026 12:32 Last: 25.05.2026 12:32 Sources 1

About this happening: The **Lazarus Group** was tied to a **RemotePE** campaign against **financial and cryptocurrency organizations**, signaling a stealth-focused operation with sustained access risk....

Open Happening

Medical-device cyberattack trend in healthcare organizations

Target Trend
First: 29.04.2026 13:05 Last: 29.04.2026 13:05 Sources 1

About this happening: **24% of healthcare organizations** experienced cyber-attacks affecting **medical devices** over the past year, creating real risk to **patient care**. In **80%** of affected case...

Open Happening

BlackCat campaign expands across multiple victims

Campaign
First: 22.04.2026 14:00 Last: 22.04.2026 14:00 Sources 1

About this happening: The **BlackCat** ransomware operation ran a **multi-victim extortion campaign** against **US organizations** between **April and November 2023**, creating sustained ransom pressur...

Latest development: 01.05.2026 14:30

Ryan Goldberg and Kevin Martin were each sentenced to four years in prison for helping the BlackCat/ALPHV ransomware gang conduct attacks against multiple U.S. organizations during 2023. Prosecutors said the pair worked alongside Angelo Martino, paid BlackCat administrators a 20% share of ransom payments, and in one case received a Bitcoin ransom worth $1.2m while also leaking patient data from a healthcare victim.

Open Happening

Storm-1175 high-velocity zero-day and N-day intrusion campaign

Campaign
First: 07.04.2026 09:35 Last: 07.04.2026 09:35 Sources 1

About this happening: **Storm-1175** is running a **high-velocity intrusion campaign** that chains **zero-day** and **N-day vulnerabilities** to gain initial access to exposed systems, raising the risk...

Open Happening

Storm-1175 high-velocity exploit campaign

Campaign
First: 06.04.2026 19:56 Last: 06.04.2026 19:56 Sources 1

About this happening: **Storm-1175** is running a **high-velocity exploit campaign** that rapidly turns access into **Medusa ransomware** deployment, creating risk of **data exfiltration** and encrypte...

Open Happening

Timeline

  1. 24.02.2026 13:00 3 articles · 3mo ago

    Lazarus-linked Medusa attacks against U.S. healthcare organizations

    Initial Disclosure

    Symantec says North Korean state-backed hackers associated with Lazarus are using Medusa ransomware in financially motivated attacks against U.S. healthcare organizations, with researchers noting possible involvement of a Lazarus subgroup such as Andariel/Stonefly, tooling overlap with Diamond Sleet, and published IoCs meant to help defenders detect the activity early and prevent encryption of sensitive data.

    Show sources
    Open in new tab