Microsoft has published its investigation into Raspberry Robin, finding significant links between the worm and leading ransomware campaigns, as well as its key role in a wider malware ecosystem.
The current leading ransomware campaign, LockBit, has been shown to be in part facilitated by the Raspberry Robin worm and the now-shuttered Cl0p ransomware, which was another of the most prolific campaigns of 2021 and 2022, also used it to deploy payloads.
RELATED RESOURCE
Building a better password strategy for your business
Exploring the strategies and exploits that hackers are using to circumvent password security measures
Researchers observed devices infected with Raspberry Robin being installed with the FakeUpdates malware in July 2022, leading to activity attributed to the threat actor tracked as DEV-0243 - a ransomware-associated group whose actions overlap with those of the group tracked as EvilCorp by other security researchers.
Raspberry Robin-infected devices were first noticed deploying LockBit ransomware payloads in November 2021 and has since been observed dropping samples of malware such as IcedID, Bumblebee, and Truebot too.
Additionally, Microsoft observed in October 2022 Raspberry Robin being used in post-compromise activity attributed to another actor, DEV-0950. The widely abused Cobalt Strike penetration testing tool was successfully dropped on victims after a Raspberry Robin infection and this ultimately also led to the deployment of Cl0p ransomware.
“DEV-0950 traditionally uses phishing to acquire the majority of their victims, so this notable shift to using Raspberry Robin enables them to deliver payloads to existing infections and move their campaigns more quickly to ransomware stages,” said Microsoft.
Microsoft's data indicated that nearly 3,000 devices in almost 1,000 organisations have seen at least one Raspberry Robin payload-related alert in the last 30 days.
Raspberry Robin was publicly disclosed in May 2022 by security firm Red Canary which branded it a widely distributed worm. Since then, it’s evolved into one of the largest malware distribution platforms currently active, Microsoft said.
Microsoft also said it’s possible that the actors behind the Raspberry Robin-related malware campaigns are paying the worm's operators to install malware that could lead to additional attacks.
"Raspberry Robin’s infection chain is a confusing and complicated map of multiple infection points that can lead to many different outcomes, even in scenarios where two hosts are infected simultaneously," said Microsoft.
"There are numerous components involved; differentiating them could be challenging as the attackers behind the threat have gone to extreme lengths to protect the malware at each stage with complex loading mechanisms. These attackers also hand off to other actors for some of the more impactful attack stages, such as ransomware deployment."
Microsoft also said it's currently aware of and tracking at least four entry vectors used by Raspberry Robin to infect victim machines - vectors that were linked to hands-on-keyboard activity from threat actors. The end goal of these actions was most likely the deployment of ransomware, it added.
The tech giant underlined that developing a robust protection and detection strategy and investing in credential hygiene, least privileges, and network segmentation are keys to preventing the impact of these complex threats.
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackers
News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Healthcare systems are rife with exploits — and ransomware gangs have noticedNews Nearly nine-in-ten healthcare organizations have medical devices that are vulnerable to exploits, and ransomware groups are taking notice.
-
Alleged LockBit developer extradited to the USNews A Russian-Israeli man has been extradited to the US amid accusations of being a key LockBit ransomware developer.
-
February was the worst month on record for ransomware attacks – and one threat group had a field dayNews February 2025 was the worst month on record for the number of ransomware attacks, according to new research from Bitdefender.
-
CISA issues warning over Medusa ransomware after 300 victims from critical sectors impactedNews The Medusa ransomware as a Service operation compromised twice as many organizations at the start of 2025 compared to 2024
-
Warning issued over prolific 'Ghost' ransomware groupNews The Ghost ransomware group is known to act fast and exploit vulnerabilities in public-facing appliances
-
The Zservers takedown is another big win for law enforcementNews LockBit has been dealt another blow by law enforcement after Dutch police took 127 of its servers offline
-
There’s a new ransomware player on the scene: the ‘BlackLock’ group has become one of the most prolific operators in the cyber crime industry – and researchers warn it’s only going to get worse for potential victimsNews Security experts have warned the BlackLock group could become the most active ransomware operator in 2025
