Skip to main content
banner image
venafi logo

CISA Advisory on Conti Ransomware Warns of Increased Attacks [Is Code Signing the Answer?]

CISA Advisory on Conti Ransomware Warns of Increased Attacks [Is Code Signing the Answer?]

September 23, 2021 | Scott Carter

Anyone who’s been tracking the newsfeed these days has seen an uptake in ransomware attacks over the past year or so. But now we have more evidence of why and how ransomware is raging. After a deep dive on Conti ransomware, CISA issued a joint advisory with FBI and NSA that provides information on more than 400 incidents. This advisory builds on information from a previous wave of attacks in May 2021, which impactedhundreds of healthcare institutions as well as schools and other government organizations.  

According to the advisory, "In typical Conti ransomware attacks, malicious cyber actors steal files, encrypt servers and workstations, and demand a ransom payment." Conti is unique in that it operates a sophisticated ransomware-as-a-service model where they pay deployers of ransomware a wage instead of just a cut of the ransomware earnings. It’s a well-defined business model with a paid army of attackers.

Do You Understand the Anatomy of a Supply Chain Attack? Download the White Paper.

One of the reasons that ransomware attacks have risen over the past year or so is that more workers are connecting to their organizations remotely. Tony Hadfield, Global Solution Architect at Venafi warns, "We're seeing a dramatic resurgence of ransomware using malicious office documents during the pandemic due to the increase in remote work.” The CISA advisory outlines how this plays out in a ransomware attack. "Malicious Word attachments often contain embedded scripts that can be used to download or drop other malware—such as TrickBot and IcedID, and/or Cobalt Strike—to assist with lateral movement and later stages of the attack life cycle with the eventual goal of deploying Conti ransomware."  

To help organizations counter those attack vectors, the advisory also offers detailed information on Conti and its affiliates typically function as well as steps organizations can take to mitigate the risks of a Conti ransomware attack. The advisory recommends taking a proactive stance, “To secure systems against Conti ransomware, CISA, FBI, and the National Security Agency (NSA) recommend implementing the mitigation measures described in this Advisory, which include requiring multi-factor authentication (MFA), implementing network segmentation, and keeping operating systems and software up to date.

One of CISA’s key recommends is taking more control of applications that can be hijacked or misused by ransomware attackers, as outlined below.

Remove unnecessary applications and apply controls.

  • Remove any application not deemed necessary for day-to-day operations. Conti threat actors leverage legitimate applications—such as remote monitoring and management software and remote desktop software applications—to aid in the malicious exploitation of an organization’s enterprise. 
  • Investigate any unauthorized software, particularly remote desktop or remote monitoring and management software.
  • Implement application allowlisting, which only allows systems to execute programs known and permitted by the organization's security policy. Implement software restriction policies (SRPs) or other controls to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular internet browsers or compression/decompression programs.
  • Implement execution prevention by disabling macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Microsoft Office suite applications.

Kevin Bocek, vice president of security strategy and threat intelligence at Venafi offers a slightly more focused approach to accomplishing these goals. “We have the power to stop these attacks: code signing. Conti’s favorite is to use macros in Word; this can easily be stopped by eliminating all unsigned macros from running—and any macro that can run must be code signed by the organization. Simple, and stopped.”

Hadfield echoes that recommendation, “While the typical security control recommendations like network segmentation, 2FA and patching are all helpful, there's one really simple thing organizations can do that stops ransomware hiding in malicious office documents in its tracks: code signing macros. This can be set up once and then it's completely frictionless; every macro is signed automatically and unsigned macros are not allowed to run. Even if an employee clicks on a malicious office document, nothing happens. It stops the ransomware kill chain and dramatically reduces the security risks connected with this attack vector."

How much do you know about the code signing process in your organization? Enough to protect you against a new wave of Conti ransomware attacks?

Related posts

Like this blog? We think you will love this.
Featured Blog

How DoS/DDoS Attacks Impact Machine Identity, Digital Certificates

For safe and secure utilization of machine identities such as SSL/TLS cer

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Scott Carter
Scott Carter

Scott is Senior Manager for Content Marketing at Venafi. With over 20 years in cybersecurity marketing, his expertise leads him to help large organizations understand the risk to machine identities and why they should protect them

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more