Lazarus Group's Medusa Ransomware Assaults on U.S. Critical Infrastructure in 2025
Executive Summary
In early 2025, the North Korean state-sponsored Lazarus Group launched a series of sophisticated ransomware attacks targeting critical infrastructure sectors, notably healthcare and education, in the United States. Utilizing the Medusa ransomware, the group employed advanced tactics such as exploiting unpatched software vulnerabilities and deploying custom malware tools like Comebacker backdoor and Blindingcan RAT. These attacks led to significant data breaches, operational disruptions, and substantial financial losses for the affected organizations. (secure.com)
The Lazarus Group's adoption of Medusa ransomware underscores a concerning trend of state-sponsored actors leveraging ransomware-as-a-service platforms to conduct financially motivated cyberattacks. This evolution highlights the urgent need for organizations to enhance their cybersecurity defenses, particularly in sectors handling sensitive data, to mitigate the risks posed by such advanced persistent threats.
Why This Matters Now
The Lazarus Group's use of Medusa ransomware signifies a dangerous convergence of state-sponsored cyber espionage and financially motivated cybercrime, posing an immediate threat to critical infrastructure sectors. Organizations must urgently bolster their cybersecurity measures to defend against these sophisticated attacks.
Attack Path Analysis
The Lazarus Group initiated the attack by exploiting unpatched vulnerabilities in public-facing applications to gain initial access. They then escalated privileges by deploying custom malware to obtain higher-level access. Utilizing remote access tools, they moved laterally across the network to identify and access critical systems. The attackers established command and control channels using encrypted communications to maintain persistence. They exfiltrated sensitive data before deploying Medusa ransomware to encrypt files. Finally, they demanded a ransom, threatening to release the stolen data if payment was not made.
Kill Chain Progression
Initial Compromise
Description
The Lazarus Group exploited unpatched vulnerabilities in public-facing applications to gain initial access to the target network.
Related CVEs
CVE-2025-10035
CVSS 9.8A critical deserialization vulnerability in Fortra's GoAnywhere MFT License Servlet allows unauthenticated remote code execution.
Affected Products:
Fortra GoAnywhere MFT – <= 7.8.3
Exploit Status:
exploited in the wildCVE-2024-1709
CVSS 10A critical vulnerability in ConnectWise ScreenConnect allows remote code execution due to improper input validation.
Affected Products:
ConnectWise ScreenConnect – < 22.4.0
Exploit Status:
exploited in the wildCVE-2023-48788
CVSS 9.8A critical SQL injection vulnerability in Fortinet's FortiClient EMS software allows unauthenticated remote code execution.
Affected Products:
Fortinet FortiClient EMS – <= 7.0.7
Exploit Status:
exploited in the wildCVE-2024-57727
CVSS 7.5A path traversal vulnerability in SimpleHelp Remote Monitoring and Management tool allows unauthorized access to configuration files.
Affected Products:
SimpleHelp Remote Monitoring and Management – <= 5.5.7
Exploit Status:
exploited in the wildCVE-2024-57728
CVSS 7.2An authentication bypass vulnerability in SimpleHelp Remote Monitoring and Management tool allows unauthorized administrative access.
Affected Products:
SimpleHelp Remote Monitoring and Management – <= 5.5.7
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Phishing
Command and Scripting Interpreter: PowerShell
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Valid Accounts
Impair Defenses: Disable or Modify Tools
Credential Dumping
Data Encrypted for Impact
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA Zero Trust Maturity Model 2.0 – Identity Management and Access Control
Control ID: Identity Pillar
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Lazarus Group's Medusa ransomware targeting creates critical risks for financial institutions through lateral movement capabilities, encrypted traffic vulnerabilities, and regulatory compliance impacts.
Health Care / Life Sciences
Healthcare organizations face severe exposure to North Korean APT's multi-malware campaign, threatening patient data through east-west traffic exploitation and HIPAA compliance violations.
Government Administration
Government agencies represent high-value targets for Lazarus Group's sophisticated ransomware operations, requiring enhanced zero trust segmentation and threat detection capabilities.
Information Technology/IT
IT sector faces amplified risk from Comebacker backdoor and Blindingcan RAT deployment, necessitating robust egress security and multicloud visibility controls.
Sources
- Lazarus Group Picks a New Poison: Medusa Ransomwarehttps://www.darkreading.com/cyberattacks-data-breaches/lazarus-group-new-position-medusa-ransomwareVerified
- Medusa Ransomware Claims 40+ Victims in 2025https://www.infosecurity-magazine.com/news/medusa-claims-victims-2025/Verified
- Critical Infrastructure Entities Warned About Medusa Ransomware as Victim Count Hits 300https://www.hipaajournal.com/medusa-ransomware/Verified
- Medusa Ransomware Uses Malicious Driver to Disable Anti-Malware with Stolen Certificateshttps://thehackernews.com/2025/03/medusa-ransomware-uses-malicious-driver.htmlVerified
- Medusa Ransomware Detection: The FBI, CISA & Partners Warn of Increasing Attacks by Ransomware Developers and Affiliates Against Critical Infrastructurehttps://socprime.com/blog/medusa-ransomware-attacks-covered-in-aa25-071a-detection/Verified
- Medusa Ransomware Uses Malicious Driver to Disable Anti-Malware with Stolen Certificateshttps://thehackernews.com/2025/03/medusa-ransomware-uses-malicious-driver.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust Cloud Native Security Fabric (CNSF) is pertinent to this incident as it could have constrained the attacker's ability to exploit vulnerabilities, escalate privileges, move laterally, establish command and control, and exfiltrate data, thereby reducing the overall blast radius of the attack.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit unpatched vulnerabilities in public-facing applications may have been limited, reducing the likelihood of initial access.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges using custom malware could have been constrained, limiting their access to higher-level system functions.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement across the network could have been limited, reducing their ability to access critical systems.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish and maintain command and control channels may have been constrained, reducing their persistence within the network.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data could have been limited, reducing the impact of data loss.
The attacker's ability to leverage stolen data for ransom demands could have been constrained, reducing the potential impact of the attack.
Impact at a Glance
Affected Business Functions
- Patient Care Services
- Medical Records Management
- Billing and Insurance Processing
Estimated downtime: 14 days
Estimated loss: $500,000
Patient health records, billing information, and insurance details.
Recommended Actions
Key Takeaways & Next Steps
- • Implement regular patch management to address vulnerabilities in public-facing applications.
- • Deploy Zero Trust Segmentation to limit lateral movement within the network.
- • Utilize East-West Traffic Security to monitor and control internal communications.
- • Enforce Egress Security & Policy Enforcement to prevent unauthorized data exfiltration.
- • Establish Threat Detection & Anomaly Response mechanisms to identify and respond to malicious activities promptly.
