Ryuk Ransomware Affiliates Exploiting Windows MSHTML Bug

Microsoft security researchers warned that the now-patched vulnerability with MSHTML on Windows 10 systems has already been actively exploited by threat actors using the Ryuk ransomware.

Microsoft worked jointly with security researchers from RiskIQ, to unearth a campaign employing the dangerous Ryuk ransomware. Once hackers abuse the remote code execution flaw, which Microsoft has already patched, they would deploy the ransomware payload on the compromised systems.

As with many similar vulnerabilities discovered in the past, the vulnerability needs the victim to open a malicious, tailor-made Microsoft Office document to work. We covered the issue and the patch that Microsoft issued around this month's Patch Tuesday earlier this week. The bug in question allowed bad actors to embed a malicious ActiveX control inside an Office document, which is then used to compromise the victim's system.

The research into this Ryuk campaign showed that hackers would initially use the CVE-2021-40444 MSHTML vulnerability, then deploy Cobalt Strike beacon loaders. The loaders in turn would communicate with the criminals' infrastructure - the same one that has been used in several past ransomware attacks.

According to RiskIQ, the infrastructure used in this latest attack is operated by Wizard Spider - a ransomware outfit that uses Ryuk and is believed to operate out of Russia. The researchers based their conclusions on patterns and server use that point to overlapping between this latest attacker and Wizard Spider.

Ryuk is one of the most infamous strains of ransomware that is still being used today. It has been around since 2018 and its operators have raked in millions of dollars in ransom from multiple high-profile successful attacks. Ryuk and the gang running it has taken a bit of a step back as REvil and DarkSide group made headlines in the current year, with several high-profile attacks, including Colonial Pipeline and most recently, the REvil attack against Kaseya.