Microsoft has discovered recent activity indicating that the Raspberry Robin worm is part of a complex and interconnected malware ecosystem, with links to other malware families and alternate infection methods beyond its original USB drive spread. These infections lead to follow-on hands-on-keyboard attacks and human-operated ransomware activity. Our continuous tracking of Raspberry Robin-related activity also shows a very active operation: Microsoft Defender for Endpoint data indicates that nearly 3,000 devices in almost 1,000 organizations have seen at least one Raspberry Robin payload-related alert in the last 30 days.
MALWARE FAMILIES: Raspberry Robin, IcedID - S0483, BumbleBee, Backdoor:Win32/Truebot, Socgolsh
ATT&CK IDS: T1471 - Data Encrypted for Impact, T1199 - Trusted Relationship