A series of ransomware attacks against Costa Rican national infrastructure has prompted the country’s new president to declare a national emergency.
First reported by BleepingComputer, the president, Rodrigo Chaves, made the declaration on May 8, the same day he took office. The attacks have been allegedly carried out by the Conti ransomware group, currently viewed as the most dangerous and widespread ransomware gang in existence.
The ransomware attacks started in April, with the Finance Ministry being the first victimized Costa Rican government agencies. Others followed quickly, as reported by Recorded Future, including:
- The Ministry of Science, Innovation, Technology, and Telecommunications
- The Labor and Social Security Ministry
- The Social Development and Family Allowances Fund
- The National Meteorological Institute
- The Costa Rican Social Security Fund
- The Interuniversity Headquarters of Alajuela
Outgoing Costa Rica President Carlos Alvarado Quesada said last month that the country would not pay the ransom Conti demanded, reported to be $10 million: “It is not just an attack on the institutions affected, the government or importers and exporters,” Quesada said. “It is a criminal cyberattack on the state and the entire country. It cannot be separated from the complex global geopolitical situation in a digitalized world.”
Indeed, even Russia’s invasion of Ukraine appears to be part of the intricate web of details surrounding the story. As Allan Liska, a ransomware expert and columnist for Ransomware.org wrote recently, Conti has allied with Russia’s invasion of its neighbor: “The Conti Team is officially announcing a full support of Russian government. If anyone will decide to organize a cyberattack or any war activities against Russia, we are going to use our all possible resources to strike back at the critical infrastructure of an enemy.”
Of course, Costa Rica is another global victim, and Conti is allegedly leaking information it obtained via the attacks. BleepingComputer said that an update on Conti’s data leak site stated that the group “leaked 97% of the 672 GB data dump allegedly containing information stolen from government agencies.” This could be part of a double-extortion ransomware attack where, in addition to paying to have data de-encrypted, a victim is ordered to pay up again to keep stolen data from being publicly released.
Gizmodo reported that due to the attacks, Costa Rica “has effectively been operating without digital monetary services since April 18.” This has affected its ability to pay public employees and collect tax revenues, among other short-term consequences. The longer-term impacts likely won’t be known for some time.
Conti, as Liska wrote about, has grown quite wealthy from its criminal operations, and works much like a legitimate business, with a human resources department, coders, penetration testers, and more.
According to Record Future’s report, one of the Conti hackers released a message saying what happened in Costa Rica is merely a dress rehearsal for bigger things: “The purpose of this attack was to earn money, in the future I will definitely carry out attacks of a more serious format with a larger team, Costa Rica is a demo version.”
That should send shivers down the backs of anyone with security responsibilities for governmental institutions.