Lazarus Group Pivot: Medusa Ransomware Targets Healthcare & Middle East
Just caught the latest report from Broadcom's Symantec and Carbon Black teams regarding the Lazarus Group (Diamond Sleet) utilizing Medusa ransomware. It’s a notable shift seeing a state-sponsored actor deploy commodity ransomware like Medusa, particularly against a healthcare target in the U.S. and an entity in the Middle East.
Historically, Lazarus has stuck to espionage or crypto-heists, but this move signals a push towards the "double extortion" model—encrypting data and threatening leaks. Medusa typically operates by gaining initial access via exposed RDP or phishing, then moving laterally using tools like Mimikatz or AnyDesk.
From a defensive standpoint, Medusa is aggressive about wiping backups. You'll want to monitor for VSS shadow copy deletions immediately. Here is a Sigma rule logic that can be translated to your SIEM to catch this specific behavior:
title: Potential Medusa Ransomware Activity - VSS Deletion
status: experimental
description: Detects attempts to delete Volume Shadow Copies via vssadmin or wmic.
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\\vssadmin.exe'
- '\\wmic.exe'
CommandLine|contains:
- 'delete shadows'
- 'shadowcopy delete'
condition: selection
Additionally, Medusa typically drops a ransom note named !!!READ_ME_MEDUSA!!!.txt. While the U.S. healthcare attack was reportedly unsuccessful, the telemetry suggests they are actively probing the sector.
Are others seeing evidence of Medusa adoption by APTs in your sectors? What’s your primary mitigation for rapid VSS destruction?
We've actually seen a spike in vssadmin calls in our honeypots recently. The Sigma rule you posted is solid, but we also added a correlation rule looking for wmic.exe spawning from powershell.exe followed by a process stop command. It cuts down on the false positives compared to just watching for vssadmin alone. Also, blocking the execution of vssadmin.exe via AppLocker is a quick win if your environment allows it.
The healthcare mention is terrifying. We work with several small clinics and their legacy systems are wide open. We've been pushing immutable backups (WORM storage) hard this quarter. If Lazarus is getting into the game with commodity ransomware, the barrier to entry for sophisticated attacks on underfunded hospitals just dropped significantly.
Interesting pivot. Medusa source code allegedly leaked a while back, which might be why Lazarus is adopting it—easier to customize or repurpose than building from scratch. The IOCs from the report suggest they are still relying on Certutil for download stages. Watching for base64 encoded strings in certutil arguments is another good detection vector.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access