This is uncharted territory, even for the criminal ransomware underworld. Several weeks ago, Costa Rica’s new president, Rodrigo Chaves, declared a national emergency following a series of attacks on his country’s infrastructure, including the Finance Ministry and Labor and Social Security Ministry among others. The declaration came literally on the day he took office.
In our story on the escalation, John Dunne wrote this: “… in this emerging war of words and PR, it’s just possible the attackers might be in danger of overreaching themselves.” To me, this is a key point, and may signal a change in ransomware gangs’ tactics going forward.
We know that ransomware actors are increasingly under pressure for their criminal activities. REvil, which generally held the title of “World’s Most Dangerous Ransomware Gang” prior to Conti, had several of its members taken into custody earlier this year. This was the highest-profile action taken to date, but not the only one.
In that case, not even REvil (which may be attempting a comeback) was threatening to overthrow a government—it was simply acting as all ransomware groups act. But Conti has gone far beyond that, moving into geopolitics. This is a much higher-stakes game now—and when you raise the stakes, you also raise the consequences.
“The success of these attacks should concern smaller governments around the world,” Allan Liska, an intelligence analyst at Recorded Future (as well as a columnist for Ransomware.org) told TechCrunch. He went on to say that Conti may feel invincible at this point, since it’s had so much success over the last couple of years.
If that’s the case, it’s safe to say that they may be in for a very, very rude awakening. Governments have different responses for various infractions, with a huge range in the severity of its actions. Taking down a network here or there, or shutting down a hospital’s IT systems, are significant impacts. But they’re nothing compared to what a government may do when its very existence is threatened.
If critical Costa Rica systems are kept offline much longer, it’s not hard to imagine that officials might escalate their response to these attacks. Conti may think it’s protected by anonymity and maybe even by Russia itself, whom the gang has allied with in the country’s invasion of Ukraine.
One has to wonder, though, how much protection Russia will give to an outlaw gang if major powers lean on it. Russia has things to worry about other than a small band of hacker nerds, and if, say, the United States insisted that Russia stop shielding Conti from the repercussions of its actions in Costa Rica, what great motivation will it have to risk a huge international incident? I doubt the fact of Conti’s support of the invasion will factor very much in Russia’s decisions.
Sovereign nations are not businesses. They have greater means at their disposal for protecting their interests, and there’s no doubt they’ll use them if pushed far enough.
The question that Conti needs to ask itself: Have we pushed too far this time?