Microsoft Security has published a blog post describing the Raspberry Robin worm and how it connects to the larger ecosystem of professional malware in order for criminals to execute attacks. Microsoft’s researchers have observed multiple families of payloads being deployed on machines with Raspberry Robin infections, suggesting the group behind the worm is offering paid access to compromised networks. Notably, in October, Microsoft observed Raspberry Robin being used in post-compromise activity, which resulted in the deployment of Clop ransomware. This ransomware family was used in an attack against a UK water utility in August.

This worm is especially resilient, as it spreads to other devices within an organization by infecting any USB device attached to a compromised computer. Microsoft’s data “indicates that nearly 3,000 devices in almost 1,000 organizations have seen at least one Raspberry Robin payload-related alert in the last 30 days.” Microsoft’s blog post includes indicators of compromise, mitigation tips, and other technical details to help defend against this threat. Read more at Microsoft Security.