Lesson 1.1: North Korean Lazarus Group Expands Ransomware Activity With Medusa

Compliance Framework Mapping

Introduction

Welcome to Lesson 1.1: North Korean Lazarus Group Expands Ransomware Activity With Medusa! Over the next 45 minutes, we will explore how a state-sponsored threat actor has adapted a common criminal tool to fund its operations, and what that means for your organisation's defence.

But first, let me tell you about Marcus Webb.

It's 3:17 PM on a Tuesday in October. Marcus, a senior network engineer at a mid-sized financial technology firm in London, is reviewing firewall logs. The office hums with the low murmur of keyboards and the faint smell of coffee. He's looking for anything unusual after a routine software update over the weekend.

A specific pattern of outbound traffic to an IP address in Southeast Asia catches his eye. It's not on any of the standard threat lists, and the volume is small. He makes a note to check it later, assuming it's related to a new cloud analytics service the marketing team started using. The traffic stops as suddenly as it started.

Two days later, at 9:05 AM, every screen on the trading floor flashes a bright red message: 'YOUR FILES ARE ENCRYPTED'. A timer counts down from 72 hours. The demand is for 50 Bitcoin. Marcus's phone rings. It's the CISO. The note on his desk about that strange traffic feels like a lead weight.

This is the story of Ransomware. By the end of this lesson, you'll understand exactly why Marcus never stood a chance, and more importantly, what could have saved him.

Content Section 1: The Lazarus Group's New Business Model

Think of a traditional organised crime syndicate. Now, give it the budget and patience of a nation-state. That's the Lazarus Group. For years, they were known for destructive cyber-espionage and bank heists. Their shift to ransomware isn't just a new trick; it's a fundamental change in how they fund their work.

From Espionage to Extortion

The Lazarus Group is a cybercrime unit linked to the North Korean government. Research suggests their primary goal has always been to generate revenue for the regime, often targeting financial institutions directly.

Their move into ransomware, specifically using the 'Medusa' variant, represents a strategic pivot. Instead of just stealing from bank accounts, they now hold entire organisations hostage. This method can be more predictable and profitable than a single, high-risk theft.

This blending of state-sponsored tactics with criminal ransomware tools creates a uniquely dangerous threat. They have the resources and training of a nation-state actor but operate with the financial motivation of a crime gang.

Why Medusa?

The Lazarus Group didn't build Medusa from scratch. Industry data indicates they likely acquired or licensed the ransomware-as-a-service (RaaS) kit. This lets them use a proven, effective tool while focusing their development efforts on the initial access and stealth required to deploy it.

Using a known criminal tool provides camouflage. Initial analysis might point to a common ransomware gang, not a sophisticated state actor. This misdirection buys them time to move deeper into a network before the encryption triggers.

DORA Article 5-17 DORA's ICT risk management requirements force financial entities to understand not just 'what' threats exist, but 'who' is behind them. Understanding the Lazarus Group's state-sponsored nature changes the risk assessment from a criminal nuisance to a persistent, well-resourced threat.

ISO A.5.1 ISO 27001 A.5.1 mandates that management establishes policies informed by the threat landscape. Defence strategies against a financially-motivated criminal differ from those against a state actor using criminal tools; leadership must direct security efforts accordingly.

Content Section 2: The Attack Chain: How They Get In

Understanding their funding model reveals why they're so effective. Let me show you exactly how Marcus was compromised. It wasn't a fancy zero-day; it was a reliable, old-fashioned trick executed with state-level patience.

The Initial Foothold

The attack likely started weeks or months before the encryption. Research suggests groups like Lazarus often gain initial access through sophisticated phishing campaigns or by exploiting unpatched vulnerabilities in public-facing applications like VPN gateways or email servers.

Once a single user's credentials are stolen or a server is compromised, the attacker has a beachhead. They'll spend time quietly exploring the network, often moving laterally during business hours to blend in with normal traffic.

This is when Marcus saw that odd outbound connection. It was probably a command-and-control (C2) channel, the attacker checking in with their servers or downloading the next stage of their toolkit.

Preparing the Battlefield

Before deploying Medusa, the attackers work to ensure maximum impact. They identify and map critical servers, backup systems, and network shares. They often attempt to disable or delete backup data and security software.

They also work to gain high-level administrative privileges. This allows the ransomware to run with the permissions needed to encrypt every file it can reach, including those on mapped network drives and connected systems.

Why Traditional Perimeter Defences Fail

Notice what all of these methods have in common. They don't always rely on malicious code. They rely on abusing trust—trust in cloud services, trust in normal protocols, trust in legitimate user accounts, and trust in human behaviour.

Lazarus uses methods specifically designed to bypass common security controls. Here's how they do it:

NIST ID.RA-1 NIST CSF ID.RA-1 requires identifying asset vulnerabilities. This attack chain shows vulnerabilities aren't just software flaws; they include over-permissive user accounts, lack of network segmentation for backups, and insufficient monitoring for living-off-the-land techniques.

NIS2 Article 21 NIS2 Article 21 mandates risk management measures. Defending against this requires measures like strict application allow-listing (not just antivirus), network segmentation to contain lateral movement, and proactive hunting for anomalous user behaviour, not just inbound threats.

Content Section 3: Finding the Needle in the Haystack

Marcus's computer knew something was wrong. It just couldn't tell him. The signs were there, buried in the noise of a modern network. Detecting Lazarus using Medusa means looking for subtle combinations of events, not just a single alarm.

Network-Level Indicators

Look for connections to newly-registered or low-reputation domains that mimic legitimate cloud services (e.g., 'onedrive-update.com'). Lazarus often uses these for C2.

Monitor for unusual volumes of data being transferred from servers to external cloud storage locations in a short period, which could indicate data exfiltration prior to encryption.

A key signal is network traffic showing sequential, rapid SMB or RDP connection attempts from a single internal host to many others. This is lateral movement in action.

Endpoint-Level Indicators

Watch for the use of system administration tools like PowerShell, WMI, or PsExec in unusual contexts—for example, a user from the marketing department running PowerShell commands to query the domain administrator group.

Multiple failed attempts to disable or uninstall endpoint security services from a single machine is a major red flag. The ransomware payload often tries this just before execution.

The creation of unusual scheduled tasks or services with random, garbled names is a common tactic to maintain persistence after the initial breach.

Identity Provider Signals

A surge in MFA push notification requests for a single user account, especially outside working hours, can indicate an 'MFA fatigue' attack in progress.

Look for user logins from impossible geographical locations in quick succession (e.g., London followed by Singapore 10 minutes later).

Monitor for a single account being used to log into an abnormal number of different workstations or servers in a short timeframe, a sign of credential abuse and lateral movement.

SOC2 CC7.1 SOC 2 CC7.1 requires detection procedures for new vulnerabilities and configuration changes. The indicators listed here are exactly that—detection procedures for the specific configuration changes (disabled AV) and behavioural vulnerabilities (abnormal logins) that Lazarus creates.

GDPR Article 32 GDPR Article 32 requires appropriate security of personal data. Detecting the exfiltration and encryption phases of this attack is a direct technical measure to fulfil the 'integrity and confidentiality' principle of GDPR, as a ransomware attack is a personal data breach.

Content Section 4: Turning Knowledge into Evidence

Compliance documentation often feels like a box-ticking exercise. But in this context, it's the written proof that you understand the threat and have taken steps to counter it. It's the story you can tell an auditor before an incident forces you to tell a different story to the board.

Evidence Generation

This lesson provides documentation for multiple compliance frameworks:

For DORA Article 5-17 auditors... For DORA auditors, you can now demonstrate that your ICT risk management framework considers advanced persistent threats (APTs) employing ransomware, and that you have trained staff on the specific TTPs of state-sponsored actors.

For ISO A.5.1 auditors... For ISO 27001 assessors, you can evidence that information security policies and objectives have been informed by the evolving tactics of threat actors like Lazarus, justifying investments in behavioural detection and backup integrity.

For NIST ID.RA-1 auditors... For NIST CSF reviewers, you can show a documented process for identifying vulnerabilities related to credential abuse, insecure backup storage, and lack of application allow-listing—key weaknesses exploited in this attack chain.

Audit Trail

Document your completion of this lesson:

• Lesson title and date completed
• Time invested: approximately 45 minutes
• Key learnings in your own words
• Activity submission reference
• Follow-up actions identified

Conclusion

Let me tell you how Marcus's story ended.

The company paid the ransom. It cost them £2.3 million in Bitcoin at the time, plus over £500,000 in incident response fees, legal counsel, and system restoration. The decryption tool worked, but slowly and imperfectly. Marcus was not fired, but the stress and sense of failure led him to leave the industry six months later.

The organisation eventually implemented immutable, air-gapped backups. They deployed stricter application control policies and invested in a 24/7 security operations centre (SOC) focused on hunting for the behavioural indicators they'd missed. The changes were funded by a special assessment from their cyber insurance provider, which tripled their premium at renewal.

But it doesn't have to be your story. That's why we're here.

You should now understand why the Lazarus Group's use of Medusa is a significant escalation. You understand the multi-stage attack chain they use, from initial access to devastating encryption. You know the specific technical and behavioural indicators that can signal such an attack in progress. And you understand how this knowledge maps directly to your compliance and audit requirements.

Next, we'll explore Next, we'll explore Lesson 1.2: Building an Immutable Recovery Foundation. We'll move from understanding the threat to building the one control that can neutralise it entirely: a recovery system that even Lazarus can't touch.

See you there.

Resources

The course materials folder contains downloadable resources for this lesson:

• Lesson 1.1 Quick Reference Card - Summarise the key network, endpoint, and identity detection indicators for Lazarus Group's Medusa ransomware activity, along with immediate isolation and communication steps, on a single page.
• Compliance Mapping Worksheet - Map your organisation's controls against the Lazarus-Medusa attack chain to specific articles in DORA and NIS2, categories in the NIST CSF, and clauses in ISO 27001.
• Risk Assessment Template - Assess your organisation's exposure to the specific initial access and lateral movement vectors used by state-sponsored ransomware actors, based on the techniques covered in this lesson.
• Further reading - Links to official advisories on North Korean state-sponsored cyber activity and technical analyses of the Medusa ransomware variant from recognised threat intelligence providers.

North Korean Lazarus Group Expands Ransomware Activity With Medusa Defence Masterclass | Threat Intelligence | Lesson 1.1
© LimitedView Limited | 2026