FireEye is tracking a set of financially-motivated activity referred to as TEMP.MixMaster that involves the interactive deployment of Ryuk ransomware following TrickBot malware infections. These operations have been active since at least December 2017, with a notable uptick in the latter half of 2018, and have proven to be highly successful at soliciting large ransom payments from victim organizations.

https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html