Raspberry Robin Linked to Clop Ransomware Attacks
Microsoft Connects Worm Malware to Pre-Ransomware Activity.
A threat group tracked as DEV-0950 was revealed to have used Clop ransomware to encrypt the network of victims previously infected with the Raspberry Robin worm.
The Windows malware with worm capabilities via infected USB devices to other devices on a target’s network.
After the USB device containing a malicious .LNK file is attached and the link accessed, the worm will spawn a msiexec process using cmd to launch a second malicious file stored on the infected drive. On compromised Windows devices, it communicates with its command-and-control servers (C2).
In October 2022, Microsoft researchers observed Raspberry Robin infections followed by Cobalt Strike activity from DEV-0950. This activity, which in some cases included a Truebot infection, eventually deployed the Clop ransomware.
According to Microsoft`s report, DEV-0950 traditionally uses phishing to trick their victims, so the shift towards Raspberry Robin means they can now deliver payloads to existing infections and move their campaigns more quickly to ransomware stages.
The number of affected organizations has reached 1000 over the course of a month.
Microsoft Defender for Endpoint data indicates that nearly 3,000 devices in almost 1,000 organizations have seen at least one Raspberry Robin payload-related alert in the last 30 days.