Alright. So apparently running the world’s most prolific state-sponsored hacking operation for two decades wasn’t ambitious enough. North Korea’s Lazarus Group—the same crew responsible for the Bangladesh Central Bank heist, WannaCry, the Sony hack, and approximately $3 billion in stolen crypto—has now decided to franchise.
They’re renting ransomware. Specifically Medusa ransomware. And their new preferred target demographic is American healthcare organizations, mental health nonprofits, and schools for autistic children.
Yes, you read that right. Schools for autistic children.
Let that sink in for a second. A nation-state threat actor, backed by the full resources of the Kim Jong-un regime, is now extorting American nonprofits that help autistic kids because the ransomware-as-a-service model is apparently too profitable to ignore.
What Happened
According to a report from Symantec and Carbon Black Threat Hunter Team shared with The Hacker News, researchers have uncovered evidence that Lazarus Group operatives are deploying Medusa ransomware—a well-established ransomware-as-a-service platform—in attacks against healthcare and non-profit organizations.
The first confirmed case involved a target in the Middle East, where Lazarus deployed Medusa as the final payload. The same threat cluster then attempted an unsuccessful breach of a U.S. healthcare provider. Analysis of Medusa’s dark web leak site revealed attacks against four healthcare and non-profit organizations in the U.S. since November 2025 alone, with an average ransom demand of $260,000.
Victims included—and I want you to really sit with this—a non-profit in the mental health sector, and an educational facility serving autistic children.
Now, the researchers are careful to note they can’t confirm all four victims were hit by North Korean operatives specifically, versus other Medusa affiliates. Fair enough. But the directional shift is clear: North Korean threat actors are evolving from running their own proprietary ransomware families (Maui, Play, and their custom tools) to operating as affiliates within existing RaaS ecosystems.
Why This Evolution Should Terrify You
For years, the calculus on North Korean cyber operations was relatively straightforward: they’re a nation-state threat actor, they hit big targets (banks, crypto exchanges, defense contractors), and unless you’re directly in those sectors, your risk exposure to Lazarus specifically was somewhat bounded.
That calculus is now broken.
When a threat actor of Lazarus’s sophistication—with the full technical capability of a nation-state intelligence apparatus behind them—plugs into a commodity RaaS platform, they get scale without losing capability. They’re not using Medusa because they can’t build their own ransomware. They’ve built some of the most sophisticated malware ever cataloged. They’re using Medusa because it’s operationally efficient: ready-to-deploy infrastructure, existing negotiation portals, established payment channels, and plausible deniability built right in.
I covered how Lazarus walked away with $36.9 million from the Upbit crypto exchange using supply chain compromises and social engineering. That was a high-value, high-effort operation. Now the same actors are apparently also running $260K smash-and-grab ransomware jobs against nonprofits. They’re not choosing one or the other—they’re doing both, simultaneously, across different operational cells.
This is what professionalization looks like on the threat side. They have capacity to spare.
Healthcare: The Perpetually Favorite Target
Let me ask you something. What industry do you think would be most likely to pay a ransom quickly, with minimal negotiation, under intense operational pressure?
If you said healthcare, congratulations, you think like a ransomware operator.
Hospitals and healthcare systems run on tight operational margins. They cannot function without their systems. When Epic goes down—and it just went down at the University of Mississippi Medical Center last week, which I’ll get to in another post—patient care is directly compromised. People die from delayed care. That’s not hyperbole; it’s documented. And ransomware operators know it.
The mental health sector adds another layer of horror: the data they hold is among the most sensitive and stigmatized in existence. Therapy records, psychiatric diagnoses, medication histories. The potential for blackmail and secondary extortion is enormous. A leaked mental health patient database doesn’t just cause financial harm—it can destroy careers, relationships, and in worst cases, lives.
And the educational facility for autistic children? Their data includes medical records for minors. That’s a different legal exposure category entirely, and attackers know it. The pressure on administrators to pay quietly and quickly, rather than involve law enforcement and notify parents, is intense.
This is not random targeting. It’s calculated exploitation of victim characteristics to maximize ransom payment probability.
The RaaS Model Is the Real Problem
Here’s the structural issue nobody wants to address: the ransomware-as-a-service model has industrialized cybercrime to the point where it’s accessible to any threat actor with technical sophistication—including nation-states looking to supplement their income or fund covert operations.
I wrote about North Korean fake IT worker schemes that funneled $2.2 million to Pyongyang. That was one scheme. The Lazarus Group’s total crypto theft operation reportedly funds a significant portion of North Korea’s weapons development programs. Ransomware is just another revenue stream in a diversified criminal and geopolitical portfolio.
When a nation-state becomes a RaaS affiliate, it blurs every line we use to categorize threats. Is this a criminal attack or a geopolitical one? Is it financially motivated or intelligence-gathering? The answer, increasingly, is “yes.” Both. All of the above. These aren’t mutually exclusive categories anymore.
The Symantec/Carbon Black team notes that North Korea has previously been associated with the Maui and Play ransomware families. Now add Medusa to the list. Each RaaS ecosystem they affiliate with gives them another operational option with different target profiles, negotiation styles, and technical characteristics.
What Healthcare Organizations Need to Do Right Now
If you’re in healthcare—administration, IT, security, executive leadership, doesn’t matter—let me give you the un-bullshitted version of what you need:
Offline, air-gapped backups. Not backups stored on the same network. Not backups stored in a cloud account accessible from the same credentials as your primary systems. Air-gapped. Tested. Restorable. When ransomware hits, your ability to recover without paying depends almost entirely on the quality of your backup architecture. Everything else is secondary.
Segment your clinical systems from your administrative network. Epic and your clinical workstations should not be on the same network segment as your email server and your finance department. If they are, a compromise anywhere becomes a compromise everywhere. Network segmentation is not optional for healthcare organizations—it’s the difference between a contained incident and a full operational shutdown.
Incident response plan that assumes your EHR will go down. Hospitals ran without Epic for decades. They can do it again. But they need documented, drilled, paper-based fallback procedures. If your clinical staff has never operated without EHR access, you’re one ransomware attack away from chaos. Run tabletop exercises. Practice the downtime procedures. Know where the paper forms are.
Threat intelligence specific to healthcare sector threats. The DHHS HC3 (Health-ISAC) puts out regular threat briefings specifically for healthcare. They named Medusa as an active threat to healthcare. If your security team isn’t subscribed and reading those briefings, fix that today.
Employee phishing training that’s actually adversarial. Lazarus and Medusa affiliates both rely heavily on spear-phishing for initial access. Not generic “click here to win a prize” phishing. Highly targeted, contextually relevant spear-phishing that references real operational details. Your training program needs to simulate that—not the obvious garbage your compliance vendor runs. Check my piece on the evolution of phishing from basic scams to AI-enhanced social engineering to understand what you’re actually up against.
The Indictment Problem
The Department of Justice has indicted multiple Lazarus Group operatives. Doesn’t matter. They’re in North Korea. They’re not getting on a plane to face justice. The indictments serve as public attribution exercises and perhaps some minor operational disruption, but they don’t stop the attacks. The security.com writeup notes that North Korean attackers are “continuing to mount extortion attacks on the U.S. healthcare sector despite indictment.” Yeah. Obviously. An indictment is a press release to these guys.
The only real deterrence is making your environment technically harder to attack than the next target. Ransomware operators—even state-backed ones—follow the path of least resistance. If your backup architecture is solid, your network is segmented, your staff isn’t clicking phishing emails, and your credential hygiene is tight, they’ll find someone easier to hit.
That’s the game. Make yourself the harder target.
The Fixer’s Final Word
North Korea running ransomware against mental health nonprofits and schools for autistic kids tells you everything you need to know about where the global cyber threat environment has arrived. Nation-states aren’t just running espionage operations anymore—they’re running criminal enterprises that target the most vulnerable institutions in society.
The response has to be proportionate. Healthcare security can’t be funded like a cost center anymore. It needs dedicated resources, dedicated expertise, and executive sponsorship that takes it as seriously as patient safety—because at this point, it is patient safety. A ransomware attack that takes down your EHR and delays critical care isn’t a technology problem. It’s a public health emergency.
Fund it accordingly.
