Do security researchers get a copy of malware to perform their analysis?

Hi

I am curious to know if researchers, in order to conduct their analslysis, gets a copy of a malware before they publish the findings? If so, where do they get it?

For example, I’m reading a report from Dragos about Pipedream but how do they know if they didnt do it themselves?

Can a newbie person obtain a copy of a malware and do analysis as well or is it too risky?

Thanks

analysis copy cybersecurity dragos findings malware order pipedream report researchers security security researchers