Grupo Lazarus implementa Medusa Ransomware en sus ataques
El Grupo Lazarus ha estado presente desde, por lo menos, 2009. En 2014 tomaron relevancia por el presunto ataque a Sony Pictures Entertainment, momento en el que su fama se catapultó. Se cree que este grupo de actores maliciosos está patrocinado por el Buró General de Reconocimiento de Corea del Norte y de ser el responsable de diversas campañas como Operation Flame, Operation Troy, Operation 1Mission, etc. El grupo opera con diferentes familias de malware y ransomware, destacando su capacidad de adaptación y reorganización según las prioridades que tengan en el momento, aunque el público suele utilizar el nombre de “Lazarus” para abarcar diferentes operadores norcoreanos porque se sospecha que se divide en unidades con diferentes enfoques.
En un reporte reciente de Symantec, se detectó que una unidad de Lazarus, posiblemente una conocida como Andariel o Stonefly, ha estado utilizando el ransomware Medusa por primera vez para llevar a cabo ciberataques a proveedores de salud estadounidenses. Se sospecha que están trabajando en conjunto con otro grupo conocido como Diamond Sleet (usualmente enfocado en medios, defensa e industria de TI), pues se han visto pistas que apuntan al uso del mismo set de herramientas; aunque algunas utilidades incluidas en el ransomware Medusa podrían indicar un falso positivo.
Algunas de las herramientas utilizadas por Lazarus en sus últimas campañas de ataques de ransomware incluyen: Comebacker, Blindingcan, ChromeStealer, Curl, Infohook, Mimikatz y RP_Proxy. Este conjunto abarca desde herramientas usadas solo por el grupo Lazarus (Andariel/Stonefly), como Comebacker, hasta herramientas nativas de muchos sistemas operativos, como Curl. Asimismo, han estado adoptando la táctica de “Bring Your Own Vulnerable Driver (BYOVD)” o “Trae Tu Propio Controlador Vulnerable”, la cual se ha estado volviendo popular entre múltiples actores de amenaza, y Lazarus la comlementa con “EDR Killers”, que se encargan de desactivar software EDR y otros métodos de defensa empresariales por completo.
La agresividad en ataques y la falta de consideración al atacar organizaciones del sector salud, en especial hospitales, indican que al Grupo Lazarus no le interesa mucho el cuidar su reputación mientras consiga sus objetivos.
Taxonomía
| Tactic | ID | Name |
| Defense Evasion, Privilege Escalation | T1134 | Access Token Manipulation: Create Process with Token |
| Discovery | T1087 | Account Discovery: Domain Account |
| Defense Evasion, Persistence, Privilege Escalation | T1098 | Account Manipulation |
| Resource Development | T1583 | Acquire Infrastructure |
| Collection, Credential Access | T1557 | Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay |
| Command and Control | T1071 | Application Layer Protocol: Web Protocols |
| Discovery | T1010 | Application Window Discovery |
| Collection | T1560 | Archive Collected Data |
| Persistence, Privilege Escalation | T1547 | Boot or Logon Autostart Execution |
| Credential Access | T1110 | Brute Force |
| Resource Development | T1584 | Compromise Infrastructure |
| Persistence, Privilege Escalation | T1543 | Create or Modify System Process: Windows Service |
| Impact | T1485 | Data Destruction |
| Command and Control | T1132 | Data Encoding: Standard Encoding |
| Collection | T1005 | Data from Local System |
| Command and Control | T1001 | Data Obfuscation: Protocol or Service Impersonation |
| Collection | T1074 | Data Staged: Local Data Staging |
| Defense Evasion | T1622 | Debugger Evasion |
| Impact | T1491 | Defacement: Internal Defacement |
| Defense Evasion | T1140 | Deobfuscate/Decode Files or Information |
| Resource Development | T1587 | Develop Capabilities: Malware |
| Impact | T1561 | Disk Wipe |
| Initial Access | T1189 | Drive-by Compromise |
| Command and Control | T1573 | Encrypted Channel: Symmetric Cryptography |
| Resource Development | T1585 | Establish Accounts |
| Exfiltration | T1048 | Exfiltration Over Alternative Protocol |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
| Exfiltration | T1567 | Exfiltration Over Web Service |
| Execution | T1203 | Exploitation for Client Execution |
| Command and Control | T1008 | Fallback Channels |
| Discovery | T1083 | File and Directory Discovery |
| Reconnaissance | T1589 | Gather Victim Identity Information: Email Addresses |
| Reconnaissance | T1591 | Gather Victim Org Information |
| Defense Evasion | T1564 | Hide Artifacts: Hidden Files and Directories |
| Defense Evasion, Persistence, Privilege Escalation | T1574 | Hijack Execution Flow |
| Defense Evasion | T1656 | Impersonation |
| Defense Evasion | T1070 | Indicator Removal |
| Defense Evasion | T1202 | Indirect Command Execution |
| Command and Control | T1105 | Ingress Tool Transfer |
| Collection | T1056 | Input Capture: Keylogging |
| Lateral Movement | T1534 | Internal Spearphishing |
| Discovery | T1680 | Local Storage Discovery |
| Defense Evasion | T1036 | Masquerading |
| Command and Control | T1104 | Multi-Stage Channels |
| Execution | T1106 | Native API |
| Discovery | T1046 | Network Service Discovery |
| Command and Control | T1571 | Non-Standard Port |
| Defense Evasion | T1027 | Obfuscated Files or Information |
| Resource Development | T1588 | Obtain Capabilities |
| Initial Access | T1566 | Phishing: Spearphishing Attachment |
| Defense Evasion, Persistence | T1542 | Pre-OS Boot: Bootkit |
| Discovery | T1057 | Process Discovery |
| Defense Evasion, Privilege Escalation | T1055 | Process Injection: Dynamic-link Library Injection |
| Command and Control | T1090 | Proxy: Internal Proxy |
| Discovery | T1012 | Query Registry |
| Defense Evasion | T1620 | Reflective Code Loading |
| Lateral Movement | T1021 | Remote Services: Remote Desktop Protocol |
| Execution, Persistence, Privilege Escalation | T1053 | Scheduled Task/Job: Scheduled Task |
| Reconnaissance | T1593 | Search Open Websites/Domains: Social Media |
| Persistence, Privilege Escalation | T1505 | Server Software Component: IIS Components |
| Impact | T1489 | Service Stop |
| Resource Development | T1608 | Stage Capabilities: Upload Malware |
| Defense Evasion | T1553 | Subvert Trust Controls: Code Signing |
| Defense Evasion | T1218 | System Binary Proxy Execution |
| Discovery | T1082 | System Information Discovery |
| Discovery | T1614 | System Location Discovery: System Language Discovery |
| Discovery | T1016 | System Network Configuration Discovery |
| Discovery | T1049 | System Network Connections Discovery |
| Discovery | T1033 | System Owner/User Discovery |
| Impact | T1529 | System Shutdown/Reboot |
| Discovery | T1124 | System Time Discovery |
| Defense Evasion | T1221 | Template Injection |
| Execution | T1204 | User Execution: Malicious Link |
| Defense Evasion, Initial Access, Persistence, Privilege Escalation | T1078 | Valid Accounts |
| Defense Evasion | T1497 | Virtualization/Sandbox Evasion: System Checks |
| Command and Control | T1102 | Web Service: Bidirectional Communication |
| Discovery, Execution, Lateral Movement | T1047 | Windows Management Instrumentation |
| Defense Evasion, Execution | T1220 | XSL Script Processing |
| Initial Access | T0865 | Spearphishing Attachment |
Indicadores de compromiso
| IOC | Tipo |
| 15208030eda48b3786f7d85d756d2bd6596ef0f465d9c8509a8f02c53fad9a10 | SHA256 |
| 0842dd5c1f79f313ea08c49d1fb227654c32485b3f413e354dbe47b8a519a120 | SHA256 |
| 202b03d788df6a9d22bbd2cbc01ba9c7b4a9caad0f78a4d420f8c2c30171a08d | SHA256 |
| 61f3b09bcbae2fc2c98ccac7b2a0becdf5ddb28fe6a8b9c679fd574d58f8ca40 | SHA256 |
| 8f6866532abd8400d244d0441be097f8209065ac43d9f864b2a6894f9da2880a | SHA256 |
| a12c84dabaffa868507807c645f7f0769ac848cc575a8c3b42dfb791aa5caeef | SHA256 |
| bf27c5e2591febe90e52cd99231526a342bc423000fe87cce44ef1c3acaeeab5 | SHA256 |
| 60b942bbdac625300eeb11cccba5ed44f376634f73d3bc01a17e7a758c570a8e | SHA256 |
| 7a22880780c74b212e36ebb871af4af26a620326c456cf96a3dfb1481ee436cc | SHA256 |
| ab3e3a8673ba5da40b325b160a782cf2f03547d9b489e87d9546da35a65d62d6 | SHA256 |
| 16d57ff889aab5b8c8a646da99d5a9335177fb4c158191baa1cf199f0e818d3a | SHA256 |
| 3e3e0519a154266da1558e324c9097e7c39ccf88f323f2f932f204871d1b91cb | SHA256 |
| 60aaf6c01ba0c15b78902fd4be12c7e5f2323ade8f9db7e9fbbb9ec0c2afc8ba | SHA256 |
| 7530323c3976687a329e06bb7b7f95017f2cfd408f6a5261cb2f0c6b6f18f081 | SHA256 |
| ce4fcb97ada09a42c03c3456c5fe09d805948a95efaf365eb1cd2b4e82013990 | SHA256 |
| db98d087d4cdb2a82096df424f86edea8d4730543a2005f43bede9ffc6123791 | SHA256 |
| e24e4c949894b08a66b925b6c55f12d1b3c69adc95b79e99a31315e289d193fc | SHA256 |
| 61c49c8f116cb7118dee613536085cfaa7a59d5f49c36b9ff432be7b8a7f25f0 | SHA256 |
| 18049366331a5f0afd54c2ca84e6ed302e81d58a162673715fee865541d53b11 | SHA256 |
| 313ce75f0f47e2a8fd66120fcbcaa6226fc0c4862b585b8e04850153f97bc4a3 | SHA256 |
| 3b8850bad0cb3ebae477b3787844b892bb0e4f7bd9c9e8b507898a726e7e2763 | SHA256 |
| 416545b9e844d3d924e162951a8ee885f3885e054a196ccdc659fd9d1f1911a6 | SHA256 |
| 4a702c784eb997a170bea81778a770a86e61c759ff95ca0ad958ceca55c20c7b | SHA256 |
| 52293b53ca5209bc49f009288cf6fc80c9f787c9c735cc06e7dc6fc9fcdaf61d | SHA256 |
| 55cb4a851372237a5ba4bf187e37b0d599f3ffa13ac17464130744614353bd07 | SHA256 |
| 63432828de42e43ea3715157da5439c40e5c371eefd7c1892b25f396c1018cc8 | SHA256 |
| 6428ef885c54b8154bd86a5d849fb8cc8c04f39e72188117119b9e2832b99ee6 | SHA256 |
| 6ad1a57ce20b422b77bab84a8daebf4e7262543742b2fdcbcacde3f7780d9046 | SHA256 |
| 6ba46c392bdc330ceef2aeb984c63c89d673a090dd68d3258e4aa7e20e5c098d | SHA256 |
| 84168ee4e290690985358dfc497b98a22ef279a01179b93ff4e6c9c5e1ee26e4 | SHA256 |
| 918e2a5a01fdb0ad462b0242e4f23d51111031052a1ebd6a32d22be9cbd8dfb8 | SHA256 |
| 932b9ec79c782f06b3c8d267af916df41328ddb8235d021ea7f945dc4082d991 | SHA256 |
| 9cb10407ca3c9e8c1a069ebb4c677d8889117c1bc5206fbf16f47ebb13ef34b9 | SHA256 |
| a670d8818a6efe2919c18c740ef4f3478551b28481d0a1591539be45ceca2171 | SHA256 |
| a957b5dd5f555be8431df3f35b707c149b83436d19cc3f8bbd867317a6f624b1 | SHA256 |
| b42345567556a01d34daf262f95fdeb02f259271afbea93fb684b9656d14e568 | SHA256 |
| b8a9533a21127ff5005352d41581c5631598704e220120b623fad16e3ec2ae51 | SHA256 |
| bf05b1ace61aeebd251940b40624fe22a345300fc6a53a472357f9586e8e4e57 | SHA256 |
| c69acc7364da828f098394b1a6907788d4fd379ed2af7d966e86a2becea4c0ad | SHA256 |
| cf5e38d65bef38654080635fcb76890e3e0548626b0598bc8090b18116220389 | SHA256 |
| cfe33c6faacc824fcb475d450d6ba19316884fad4c85f563a330a86d03ecff0c | SHA256 |
| d80daa7b30732b2b71d63a5881a254d12eb0d499a015dc4c98602caa2001d2a3 | SHA256 |
| df1b9ec31fa4578dee7668207064de7185798801bb032c715aa24cce7e35bcda | SHA256 |
| f0f4423cd8d5ceafb4e4a18014ff4ed8913021d83bc2c3a973a419b9fe466c19 | SHA256 |
| fdd4b78aa4e0914f3bcdc2632338ebbd300fdc3f05a3df85a5a3067f97627e45 | SHA256 |
| 35a11a68b0ce862bdc7450735237e56cf70156870b0527ec624f0a57076c09c7 | SHA256 |
| a55bc262c5218c6bdaebcf4618154312ff0540b00c382ab34e805699ce3fcc31 | SHA256 |
| bedada1c52e9bcceff8c6b542d74518afcce66f955ac6f1ab58aa43b3865fe9f | SHA256 |
Recomendaciones
- Establecer controles de acceso SSH basados en la red para minimizar el riesgo de ataque
- Auditar herramientas de acceso remoto. (NIST CSF, 2024)
- Revisar logs para de ejecución de software de acceso remoto. (NIST CSF, 2024)
- Limitar estrictamente el uso de los protocolos SMB y RDP.
- Realizar auditorías de seguridad. (NIST CSF, 2024)
- Deshabilitar los servicios y procesos no requeridos para reducir los vectores de ataque. (NIST CSF, 2024)
- Tener filtros de correo electrónico y spam.
- Concientizar a los empleados sobre los métodos de Phishing e Ingeniería social.
- Realizar copias de seguridad, respaldos o back-ups constantemente.
- Mantener los respaldos desconectados de la red de la organización, verificando constantemente la confidencialidad, integridad y disponibilidad de estos.
- Revisar continuamente los privilegios de los usuarios.
- Tener una solución EDR robusta configurada adecuadamente basada en las mejores prácticas (de acuerdo con documentación de fabricante).
- Habilitar la autenticación multifactorial.
Referencias
- Lakshmanan, R. (2026, Febrero 24). Lazarus Group Uses Medusa Ransomware in Middle East and U.S. Healthcare Attacks. The Hacker News. Recuperado el 01 de marzo de 2026, en: https://thehackernews.com/2026/02/lazarus-group-uses-medusa-ransomware-in.html
- Threat Hunter Team. (2026, Febrero 24). North Korean Lazarus Group Now Working With Medusa Ransomware. SECURITY.COM. Recuperado el 01 de marzo de 2026, en: https://www.security.com/threat-intelligence/lazarus-medusa-ransomware
- Toulas, B. (2026, Febrero 24). North Korean Lazarus group linked to Medusa ransomware attacks. BleepingComputer. Recuperado el 01 de marzo de 2026, en: https://www.bleepingcomputer.com/news/security/north-korean-lazarus-group-linked-to-medusa-ransomware-attacks/
- Wright, R. (2026, Febrero 24). Lazarus Group Picks a New Poison: Medusa Ransomware. DarkReading. Recuperado el 01 de marzo de 2026, en: https://www.darkreading.com/cyberattacks-data-breaches/lazarus-group-new-position-medusa-ransomware
