North Korea's state-sponsored Lazarus Group has added yet another ransomware strain to its arsenal. New research from the Symantec and Carbon Black Threat Hunter Team reveals that the group has been observed deploying Medusa ransomware in an attack against an unnamed entity in the Middle East and, separately, attempting an unsuccessful breach of a healthcare organization in the United States. The findings represent a notable evolution in Lazarus's tactics. The group has previously been linked t
raas (44)
North Korea's state-sponsored Lazarus Group has added yet another ransomware strain to its arsenal. New research from the Symantec and Carbon Black Threat Hunter Team reveals that the group has been observed deploying Medusa ransomware in an attack against an unnamed entity in the Middle East and, separately, attempting an unsuccessful breach of a healthcare organization in the United States. The findings represent a notable evolution in Lazarus's tactics. The group has previously been linked t
North Korea's state-sponsored Lazarus Group has added yet another ransomware strain to its arsenal. New research from the Symantec and Carbon Black Threat Hunter Team reveals that the group has been observed deploying Medusa ransomware in an attack against an unnamed entity in the Middle East and, separately, attempting an unsuccessful breach of a healthcare organization in the United States. The findings represent a notable evolution in Lazarus's tactics. The group has previously been linked t
North Korea's state-sponsored Lazarus Group has added yet another ransomware strain to its arsenal. New research from the Symantec and Carbon Black Threat Hunter Team reveals that the group has been observed deploying Medusa ransomware in an attack against an unnamed entity in the Middle East and, separately, attempting an unsuccessful breach of a healthcare organization in the United States. The findings represent a notable evolution in Lazarus's tactics. The group has previously been linked t
North Korea's state-sponsored Lazarus Group has added yet another ransomware strain to its arsenal. New research from the Symantec and Carbon Black Threat Hunter Team reveals that the group has been observed deploying Medusa ransomware in an attack against an unnamed entity in the Middle East and, separately, attempting an unsuccessful breach of a healthcare organization in the United States. The findings represent a notable evolution in Lazarus's tactics. The group has previously been linked t
North Korea's state-sponsored Lazarus Group has added yet another ransomware strain to its arsenal. New research from the Symantec and Carbon Black Threat Hunter Team reveals that the group has been observed deploying Medusa ransomware in an attack against an unnamed entity in the Middle East and, separately, attempting an unsuccessful breach of a healthcare organization in the United States. The findings represent a notable evolution in Lazarus's tactics. The group has previously been linked t
North Korea's state-sponsored Lazarus Group has added yet another ransomware strain to its arsenal. New research from the Symantec and Carbon Black Threat Hunter Team reveals that the group has been observed deploying Medusa ransomware in an attack against an unnamed entity in the Middle East and, separately, attempting an unsuccessful breach of a healthcare organization in the United States. The findings represent a notable evolution in Lazarus's tactics. The group has previously been linked t
North Korea's state-sponsored Lazarus Group has added yet another ransomware strain to its arsenal. New research from the Symantec and Carbon Black Threat Hunter Team reveals that the group has been observed deploying Medusa ransomware in an attack against an unnamed entity in the Middle East and, separately, attempting an unsuccessful breach of a healthcare organization in the United States. The findings represent a notable evolution in Lazarus's tactics. The group has previously been linked t
North Korea's state-sponsored Lazarus Group has added yet another ransomware strain to its arsenal. New research from the Symantec and Carbon Black Threat Hunter Team reveals that the group has been observed deploying Medusa ransomware in an attack against an unnamed entity in the Middle East and, separately, attempting an unsuccessful breach of a healthcare organization in the United States. The findings represent a notable evolution in Lazarus's tactics. The group has previously been linked t
North Korea's state-sponsored Lazarus Group has added yet another ransomware strain to its arsenal. New research from the Symantec and Carbon Black Threat Hunter Team reveals that the group has been observed deploying Medusa ransomware in an attack against an unnamed entity in the Middle East and, separately, attempting an unsuccessful breach of a healthcare organization in the United States. The findings represent a notable evolution in Lazarus's tactics. The group has previously been linked t
North Korea's state-sponsored Lazarus Group has added yet another ransomware strain to its arsenal. New research from the Symantec and Carbon Black Threat Hunter Team reveals that the group has been observed deploying Medusa ransomware in an attack against an unnamed entity in the Middle East and, separately, attempting an unsuccessful breach of a healthcare organization in the United States. The findings represent a notable evolution in Lazarus's tactics. The group has previously been linked t
North Korea's state-sponsored Lazarus Group has added yet another ransomware strain to its arsenal. New research from the Symantec and Carbon Black Threat Hunter Team reveals that the group has been observed deploying Medusa ransomware in an attack against an unnamed entity in the Middle East and, separately, attempting an unsuccessful breach of a healthcare organization in the United States. The findings represent a notable evolution in Lazarus's tactics. The group has previously been linked t
North Korea's state-sponsored Lazarus Group has added yet another ransomware strain to its arsenal. New research from the Symantec and Carbon Black Threat Hunter Team reveals that the group has been observed deploying Medusa ransomware in an attack against an unnamed entity in the Middle East and, separately, attempting an unsuccessful breach of a healthcare organization in the United States. The findings represent a notable evolution in Lazarus's tactics. The group has previously been linked t
North Korea's state-sponsored Lazarus Group has added yet another ransomware strain to its arsenal. New research from the Symantec and Carbon Black Threat Hunter Team reveals that the group has been observed deploying Medusa ransomware in an attack against an unnamed entity in the Middle East and, separately, attempting an unsuccessful breach of a healthcare organization in the United States. The findings represent a notable evolution in Lazarus's tactics. The group has previously been linked t
CyberVolk is a pro-Russia hacktivist persona Sentinel Labs first documented in late 2024, and it has been tracked using multiple ransomware tools to conduct attacks aligned with Russian government interests. After seemingly lying dormant for most of 2025 due to Telegram enforcement actions, the group returned in August 2025 with a new RaaS offering called VolkLocker (aka CyberVolk 2.x).
Below, researchers examine the functionality of VolkLocker, including its Telegram-based automation, encrypti
Security researchers have reported on one of the fastest-growing and most formidable Ransomware-as-a-Service (RaaS) groups of 2025. Named “BlackLock” (aka El Dorado or Eldorado), the RaaS outfit has existed since March 2024, according to ReliaQuest, and has increased its number of data leak posts by an impressive 1425% quarter-on-quarter in Q4 of last quarter.
The threat intelligence vendor claimed that BlackLock could become the most active RaaS group in 2025. Although, like many other variants
The previous six months have seen heightened activity regarding new and emerging ransomware operations. Across the tail end of 2024 and into 2025, researchers have seen the rise of groups such as FunkSec, Nitrogen,, and Termite. In addition, we have seen the return of Cl0p and a new version of LockBit (aka LockBit 4.0).
Within this period of accelerated activity, the Ransomware-as-a-Service offerings HellCat and Morpheus have gained additional momentum and notoriety. Operators behind HellCat, in
While threat actors continue to rely on many “classic” tactics that have existed for decades, our threat predictions for the coming year largely focus on cybercriminals embracing bigger, bolder, and, from their perspectives, better attacks. From Cybercrime-as-a-Service (CaaS) groups becoming more specialized to adversaries using sophisticated playbooks that combine both digital and physical threats, cybercriminals are upping the ante to execute more targeted and harmful attacks.
In its 2025 thr
Last February of 2024, researchers at SentinelOne posted a write-up on Kryptina Ransomware-as-a-Service (RaaS), a free and open-source RaaS platform written for Linux. At the time, Kryptina provided all the components required to host a fully functional RaaS platform. This included automating payloads, managing multiple groups and campaigns nested within, and configuring the ransom payment requirements, such as the amount and type of payment. Despite such functionality, the offering struggled
Since its inception in February 2024, RansomHub has encrypted and exfiltrated data from at least 210 victims representing the water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation, and communications critical infrastructure sectors. The affiliates leverage a double-extortion model by encrypting systems and exfiltrat
