The MSHTML zero day bug in Windows that Microsoft patched recently has been in use by attackers exploiting the bug by a highly active ransomware group.

Microsoft issued an advisory about the flaw and warned customers that attackers were already exploiting it. Within days, exploits for the flaw were circulating publicly and in private forums.

The MSTIC researchers found that some of the infrastructure used in the initial attacks shared some characteristics overlapped with infrastructure used in separate attacks that delivered Trickbot and BazaLoader malware. Those attacks are associated with a group UNC1878, which is known to use several different ransomware strains.

The operators behind the deployment of the zero-day exploit and Cobalt Strike BEACON implants are using infrastructure that shares historical connections to a large, loosely-related criminal enterprise given the names WIZARD SPIDER, UNC1878, RYUK.

It’s quite unusual for a ransomware group to use a zero day in its operations, as most of those groups rely on other, much simpler methods for initial access to networks. Some groups will buy initial access from other attackers who have previously compromised an organization, while others will employ simple phishing attacks that lead to credential theft or direct deployment of the ransomware.

There are now several different attack groups using exploits for the vulnerability in active attacks, so organizations should deploy the patch Microsoft released as quickly as possible.