North Korea Is Ransoming American Hospitals to Fund Its Spy Operations

Hospitals as Revenue Streams

North Korea's Lazarus Group, one of the most prolific state backed hacking operations in the world, has added Medusa ransomware to its arsenal. Symantec and Carbon Black researchers confirmed in February 2026 that the group deployed the ransomware against at least one Middle East organization and attempted to breach a US healthcare provider.

Analysis of the Medusa leak site revealed four US healthcare and nonprofit organizations attacked since November 2025. The victims include a mental health nonprofit and an educational facility serving autistic children. The average ransom demand across these attacks was $260,000.

Ransomware Funds Espionage

This is not ordinary cybercrime. A July 2025 US Department of Justice indictment revealed that the Lazarus Group uses ransomware proceeds to fund espionage operations targeting defense contractors, technology firms, and government agencies in the United States, Taiwan, and South Korea.

The indicted operative, Rim Jong Hyok, is alleged to be a member of Stonefly, a Lazarus subgroup linked to North Korea's Reconnaissance General Bureau, the country's military intelligence agency. The FBI has posted a $10 million reward for information leading to his arrest.

Despite the indictment and international sanctions, the attacks have continued without pause. Researchers noted that North Korean actors "appear to have few scruples about targeting organizations in the US," a significant departure from other ransomware groups that avoid American healthcare targets to minimize law enforcement attention.

The Medusa Connection

Medusa is a ransomware as a service operation run by a cybercriminal group called Spearwing. Since launching in 2023, it has claimed more than 366 attacks across healthcare, education, legal, insurance, technology, and manufacturing sectors.

By adopting Medusa rather than developing proprietary ransomware, Lazarus gains operational advantages. Using an established service makes attribution more difficult because security researchers cannot immediately distinguish a North Korean operator from any other Medusa affiliate. The group previously used Maui and Play ransomware families in similar campaigns.

This tactical pivot reflects a pragmatic cost benefit analysis: why build and maintain custom ransomware when you can rent a proven platform and blend in with the broader criminal ecosystem?

The Attack Toolkit

What gave Lazarus away was its custom tooling. Alongside the Medusa ransomware, the attackers deployed several tools exclusively associated with North Korean operations:

• Comebacker, a custom backdoor and loader that has been exclusively linked to Lazarus operations
• Blindingcan, a remote access trojan previously attributed to North Korean campaigns
• RP_Proxy, a custom proxying utility used to route communications through compromised infrastructure
• InfoHook, an information stealing tool designed to harvest system data

The attackers also used publicly available tools including Mimikatz for credential dumping and ChromeStealer for extracting saved passwords from Chrome browsers. This combination of custom and off the shelf tools is a hallmark of Lazarus operations.

Why Healthcare

Healthcare organizations make attractive ransomware targets because they cannot afford extended downtime. Patient care depends on access to electronic health records, scheduling systems, and diagnostic equipment. When those systems go offline, lives are at risk, and administrators face enormous pressure to pay quickly.

Most ransomware groups at least pretend to have ethical boundaries around healthcare. Some explicitly exclude hospitals from their targeting. North Korea's Lazarus Group has demonstrated no such restraint. Attacking a children's autism center and a mental health nonprofit makes the financial calculus clear: any organization with data worth ransoming is a legitimate target.

The Industrialization of State Cybercrime

The Lazarus Group's adoption of ransomware as a service represents a broader trend: the industrialization of state sponsored cybercrime. Nation state actors are no longer just conducting espionage. They are running profit centers that fund their intelligence operations.

For healthcare organizations, the defense recommendations are familiar but urgent. Symantec advises maintaining offline backups, segmenting critical systems from general networks, monitoring for post exploitation tools like Mimikatz, and implementing endpoint detection that can identify custom backdoors like Comebacker.

The uncomfortable reality is that every ransom payment to a Medusa affiliate could be funding North Korean espionage against Western defense and government targets. The line between cybercrime and state sponsored warfare has effectively disappeared.