Microsoft: Raspberry Robin worm key facilitator of LockBit, Cl0p ransomware
The worm was first reported in May 2022 and has evolved into one of the largest malware distribution platforms currently active


Microsoft has published its investigation into Raspberry Robin, finding significant links between the worm and leading ransomware campaigns, as well as its key role in a wider malware ecosystem.
The current leading ransomware campaign, LockBit, has been shown to be in part facilitated by the Raspberry Robin worm and the now-shuttered Cl0p ransomware, which was another of the most prolific campaigns of 2021 and 2022, also used it to deploy payloads.
RELATED RESOURCE
Building a better password strategy for your business
Exploring the strategies and exploits that hackers are using to circumvent password security measures
Researchers observed devices infected with Raspberry Robin being installed with the FakeUpdates malware in July 2022, leading to activity attributed to the threat actor tracked as DEV-0243 - a ransomware-associated group whose actions overlap with those of the group tracked as EvilCorp by other security researchers.
Raspberry Robin-infected devices were first noticed deploying LockBit ransomware payloads in November 2021 and has since been observed dropping samples of malware such as IcedID, Bumblebee, and Truebot too.
Additionally, Microsoft observed in October 2022 Raspberry Robin being used in post-compromise activity attributed to another actor, DEV-0950. The widely abused Cobalt Strike penetration testing tool was successfully dropped on victims after a Raspberry Robin infection and this ultimately also led to the deployment of Cl0p ransomware.
“DEV-0950 traditionally uses phishing to acquire the majority of their victims, so this notable shift to using Raspberry Robin enables them to deliver payloads to existing infections and move their campaigns more quickly to ransomware stages,” said Microsoft.
Microsoft's data indicated that nearly 3,000 devices in almost 1,000 organisations have seen at least one Raspberry Robin payload-related alert in the last 30 days.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Raspberry Robin was publicly disclosed in May 2022 by security firm Red Canary which branded it a widely distributed worm. Since then, it’s evolved into one of the largest malware distribution platforms currently active, Microsoft said.
Microsoft also said it’s possible that the actors behind the Raspberry Robin-related malware campaigns are paying the worm's operators to install malware that could lead to additional attacks.
"Raspberry Robin’s infection chain is a confusing and complicated map of multiple infection points that can lead to many different outcomes, even in scenarios where two hosts are infected simultaneously," said Microsoft.
"There are numerous components involved; differentiating them could be challenging as the attackers behind the threat have gone to extreme lengths to protect the malware at each stage with complex loading mechanisms. These attackers also hand off to other actors for some of the more impactful attack stages, such as ransomware deployment."
Microsoft also said it's currently aware of and tracking at least four entry vectors used by Raspberry Robin to infect victim machines - vectors that were linked to hands-on-keyboard activity from threat actors. The end goal of these actions was most likely the deployment of ransomware, it added.
The tech giant underlined that developing a robust protection and detection strategy and investing in credential hygiene, least privileges, and network segmentation are keys to preventing the impact of these complex threats.
Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.
-
A threat to Google’s dominance? The AI browser wars have begun – here are the top contenders vying for the crown
News Perplexity has unveiled its Comet browser while OpenAI is reportedly planning to follow suit
-
Google Cloud Summit London 2025: Practical AI deployment
ITPro Podcast As startups take hold of technologies such as AI agents, where is the sector headed?
-
Everything we know about the Ingram Micro cyber attack so far
News A cyber attack on Ingram Micro severely disrupted operations and has been claimed by the SafePay ransomware group.
-
A prolific ransomware group says it’s shutting down and giving out free decryption keys to victims – but cyber experts warn it's not exactly a 'gesture of goodwill'
News The Hunters International ransomware group is rebranding and switching tactics
-
Swiss government data published following supply chain attack – here’s what we know about the culprits
News Radix, a non-profit organization in the health promotion sector, supplies a number of federal offices, whose data has apparently been accessed.
-
Ransomware victims are getting better at haggling with hackers
News While nearly half of companies paid a ransom to get their data back last year, victims are taking an increasingly hard line with hackers to strike fair deals.
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker group
News An analysis of May's SQL database dump shows how much LockBit was really making
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabs
News An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs
-
It's been a bad week for ransomware operators
News A host of ransomware strains have been neutralized, servers seized, and key players indicted
-
Everything we know about the Peter Green Chilled cyber attack
News A ransomware attack on the chilled food distributor highlights the supply chain risks within the retail sector