In the beginning, ransomware gangs went after individuals and smaller businesses. As they grew in confidence, they moved on to medium-sized companies before becoming so sure of themselves they decided to take on some of the largest multi-nationals in the world.
In recent weeks, it seems the notorious Conti group has come up with an even bigger victim to extort—the entire Government of Costa Rica.
The first attack hit Costa Rica’s Ministry of Finance on April 16, after which the attackers posted sample data on the ContiNews ransomware PR site with a demand for a $10 million ransom.
Despite reportedly disrupting numerous systems such as tax collection and customs, Costa Rica’s President Carlos Alvarado refused to cooperate, stating that “the Costa Rican state will not pay anything to these cybercriminals."
Less than a week later Conti was back, this time claiming it had targeted the country’s Ministry of Labor and Social Security, and the Fund for Social Development and Family Allowances.
By May 8, and with attacks affecting 27 Government departments, Costa Rica’s new President, Rodrigo Chaves, responded by declaring a state of emergency, only the second time such a thing has happened in response to ransomware.
By May, the escalating war of words reached an almost ridiculous level, with Conti threatening to “overthrow by means of a cyberattack” the new government if it didn’t back down, reported AP.
“We have already shown you all the strength and power, you have introduced an emergency,” the group said in a public post. It went on: “We have our insiders in your government. We are also working on gaining access to your other systems, you have no other options but to pay us. We know that you have hired a data recovery specialist, don’t try to find workarounds.”
And the ransom demand was now $20 million.
The response of President Chaves? “We are at war and that’s not an exaggeration.”
A striking feature of the attack was its timing during a presidential transition. As with the lead up to term time in a university, or the Friday evening before a holiday for businesses, this was seen by the attackers as a weak moment when the victim might be more likely to pay up.
The attack is already being compared to the Colonial Pipeline incident of June 2021, which set a new benchmark for ransomware impact. That, too, saw the U.S. Government invoke emergency powers to counter the disruption to fuel supplies.
What’s still unclear clear is who exactly is behind the Conti group, and what their ultra-aggressive tactics might imply about future ransomware attacks.
Conti operates ransomware-as-a-service (RaaS), which means that attacks can be carried out by affiliates and not just the core group. This comes with risks—Conti suffered a high-profile leak of its own source code in March, for example—but also makes it harder to predict the behavior of the criminals using it.
This isn’t the first big attack to emerge from Conti’s platform. It was also used in the huge 2021 assault on Ireland’s Health Service Executive (HSE), which was later estimated to cost taxpayers $600 million in upgrade and remediation costs.
What’s interesting about the attack on Costa Rica and the HSE is that by attacking governments, ransomware might finally have met its match. These aren’t governed by the same expediency as companies, and they seem more inclined to tough things out no matter how bad they get.
For the longest time, ransomware was an enterprise that thrived on discretion. The criminals mostly stayed in the shadows, and victims paid up on the understanding that nobody would find out they’d been compromised.
With the arrival of Conti, it’s become increasingly clear that those days are long gone. But in this emerging war of words and PR, it’s just possible the attackers might be in danger of overreaching themselves.