CISA Advisory on Conti Ransomware Warns of Increased Attacks [Is Code Signing the Answer?]

Anyone who’s been tracking the newsfeed these days has seen an uptake in ransomware attacks over the past year or so. But now we have more evidence of why and how ransomware is raging. After a deep dive on Conti ransomware, CISA issued a joint advisory with FBI and NSA that provides information on more than 400 incidents. This advisory builds on information from a previous wave of attacks in May 2021, which impactedhundreds of healthcare institutions as well as schools and other government organizations.  

According to the advisory, "In typical Conti ransomware attacks, malicious cyber actors steal files, encrypt servers and workstations, and demand a ransom payment." Conti is unique in that it operates a sophisticated ransomware-as-a-service model where they pay deployers of ransomware a wage instead of just a cut of the ransomware earnings. It’s a well-defined business model with a paid army of attackers.

One of the reasons that ransomware attacks have risen over the past year or so is that more workers are connecting to their organizations remotely. Tony Hadfield, Global Solution Architect at Venafi warns, "We're seeing a dramatic resurgence of ransomware using malicious office documents during the pandemic due to the increase in remote work.” The CISA advisory outlines how this plays out in a ransomware attack. "Malicious Word attachments often contain embedded scripts that can be used to download or drop other malware—such as TrickBot and IcedID, and/or Cobalt Strike—to assist with lateral movement and later stages of the attack life cycle with the eventual goal of deploying Conti ransomware."  

To help organizations counter those attack vectors, the advisory also offers detailed information on Conti and its affiliates typically function as well as steps organizations can take to mitigate the risks of a Conti ransomware attack. The advisory recommends taking a proactive stance, “To secure systems against Conti ransomware, CISA, FBI, and the National Security Agency (NSA) recommend implementing the mitigation measures described in this Advisory, which include requiring multi-factor authentication (MFA), implementing network segmentation, and keeping operating systems and software up to date.”

One of CISA’s key recommends is taking more control of applications that can be hijacked or misused by ransomware attackers, as outlined below.

Remove unnecessary applications and apply controls.

• Remove any application not deemed necessary for day-to-day operations. Conti threat actors leverage legitimate applications—such as remote monitoring and management software and remote desktop software applications—to aid in the malicious exploitation of an organization’s enterprise. 
• Investigate any unauthorized software, particularly remote desktop or remote monitoring and management software.
• Implement application allowlisting, which only allows systems to execute programs known and permitted by the organization's security policy. Implement software restriction policies (SRPs) or other controls to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular internet browsers or compression/decompression programs.
• Implement execution prevention by disabling macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Microsoft Office suite applications.

Kevin Bocek, vice president of security strategy and threat intelligence at Venafi offers a slightly more focused approach to accomplishing these goals. “We have the power to stop these attacks: code signing. Conti’s favorite is to use macros in Word; this can easily be stopped by eliminating all unsigned macros from running—and any macro that can run must be code signed by the organization. Simple, and stopped.”

Hadfield echoes that recommendation, “While the typical security control recommendations like network segmentation, 2FA and patching are all helpful, there's one really simple thing organizations can do that stops ransomware hiding in malicious office documents in its tracks: code signing macros. This can be set up once and then it's completely frictionless; every macro is signed automatically and unsigned macros are not allowed to run. Even if an employee clicks on a malicious office document, nothing happens. It stops the ransomware kill chain and dramatically reduces the security risks connected with this attack vector."

How much do you know about the code signing process in your organization? Enough to protect you against a new wave of Conti ransomware attacks?

Related posts

• SUNBURST—Code Signing Was a Problem; It Should Have Been the Solution
• Linux Foundation Launches sigstore to Combat Open-Source Supply Chain Attacks
• SolarWinds: Should Security Live in InfoSec or DevOps? [Ask the Experts]