Medusa has been one of the most consistently active ransomware operations since its emergence in 2021, but 2026 brought a development that distinguishes it from most criminal ransomware groups: evidence that Lazarus Group — North Korea’s primary offensive cyber unit, traditionally focused on financial theft and espionage — has been observed using Medusa’s encryptor in attacks on US healthcare organisations and targets in the Middle East. The Symantec and Carbon Black Threat Hunter findings, published in February 2026, represent a significant evolution in the DPRK threat profile.
Group Background
Medusa (distinct from the earlier MedusaLocker operation, which is a separate group) has been active since mid-2021 and operates under a Ransomware-as-a-Service model with a curated affiliate programme. Unlike DragonForce and RansomHub, which run relatively open affiliate models, Medusa is more selective — the operation maintains tighter operational control over affiliates and has historically avoided some of the lowest-value targeting that lower-tier RaaS groups accept.
CISA’s March 2025 #StopRansomware advisory (AA25-071a) documented Medusa’s TTPs and noted that the group had claimed more than 300 victims at that point. By May 2026, that number exceeds 400, with healthcare and education as the most heavily targeted sectors by volume.
The Lazarus Connection
The February 2026 Symantec/Carbon Black findings describe observations of a threat cluster with technical indicators attributable to Lazarus Group deploying the Medusa encryptor in intrusions. The specific findings: Lazarus-associated initial access tradecraft (spear-phishing, trojanised developer tools) followed by Medusa encryptor deployment; victim overlap with known Lazarus targeting patterns in Middle Eastern financial and government entities; and US healthcare organisations in the targeted set, consistent with DPRK’s documented interest in healthcare data and pharmaceutical intellectual property.
The precise relationship — whether Lazarus is an affiliate customer of the Medusa RaaS, whether they obtained or reverse-engineered the encryptor independently, or whether there is a direct operational relationship — is not definitively established by public reporting. What matters operationally is that defenders facing Medusa ransom demands cannot rule out nation-state involvement, which changes the incident response calculus significantly.
DPRK cyber operations serve multiple objectives simultaneously. Financial gain from ransomware pays for the regime’s programmes. Access to healthcare networks provides intelligence. The combination of criminal extortion tradecraft with nation-state persistence and capability is a materially different threat than a purely financially motivated affiliate.
Technical Profile
Medusa affiliates have been observed using a consistent initial access set: phishing with malicious attachments (ISO files containing LNK launchers), exploitation of internet-facing VPN and RDP infrastructure, and purchase of access from initial access brokers. The CISA advisory specifically notes exploitation of CVE-2024-1709 (ConnectWise ScreenConnect authentication bypass) and CVE-2024-6387 (OpenSSH regreSSHion) as observed initial access vectors.
Medusa affiliates consistently use built-in Windows tools — certutil, wevtutil (event log clearing), PsExec, and Windows Management Instrumentation — to avoid dropping custom tooling before the final encryptor stage. More recent intrusions have incorporated BYOVD techniques to kill endpoint defences before encryption, consistent with the broader ecosystem trend documented across DragonForce, Akira, and RansomHub affiliates.
The Medusa encryptor targets network shares and NAS devices in addition to local drives, appends .medusa to encrypted files, and drops a ransom note named !!!READ_ME_MEDUSA!!!.txt. On Linux/VMware ESXi targets, a separate ESXi-specific encryptor variant is deployed.
Double extortion is standard. The Medusa leak site (accessed via Tor) lists victims with a countdown timer and a file download option — paying the initial ransom stops decryption only; a separate payment is required to prevent data publication.
Notable 2026 Incidents
The most significant confirmed Medusa incident in early 2026 was the University of Mississippi Medical Center (UMMC) attack in late February. The hospital system went offline for nine days, with clinical staff reverting to paper-based processes across its network. UMMC is Mississippi’s only Level I trauma centre.
Medusa also claimed attacks on a New Jersey county government and a prominent Mississippi hospital system within the same month, demonstrating the group’s willingness to pursue high-profile public sector targets that generate pressure for payment.
Ransom Demands
Medusa’s ransom demands are broadly distributed by victim size. For large healthcare systems and enterprise organisations, documented demands run $1M–$15M. The average across the full victim set — including smaller targets — is closer to $260,000. Medusa operates a dual-payment model: one payment for the decryptor, a separate payment to prevent data publication. Each counts down independently on the leak site.
What Defenders Should Know
The Lazarus connection changes the detection priority for Medusa intrusions. Standard ransomware affiliate TTPs suggest a financially motivated attacker who will leave when paid. Lazarus Group will not. Organisations dealing with a Medusa ransomware demand should forensically assess whether the intrusion extends beyond the ransomware deployment — persistent access, credential harvesting, and intellectual property exfiltration should all be investigated before and during any containment and recovery effort.
CISA’s AA25-071a advisory provides Snort signatures, Sigma rules, and specific IoCs for Medusa TTPs. Given the Lazarus attribution findings, healthcare organisations in particular should treat those IoCs as active threat intelligence rather than historical reference.