Costa Rica hit with a Ransomware by Conti

Posted on by

Conti ransomware attack in Costa Rica

Costa Rica has been making headlines over the last few months, especially after President Rodrigo Chaves Robles declared a national state of emergency. The declaration followed a series of ransomware attacks that halted Costa Rica’s economy, affecting several branches of government and the public sector at large.

Since many people in Latin America are accustomed to this, it should come as no surprise that Costa Rica has a weak cybersecurity infrastructure and has experienced cyberattacks before. The majority of Costa Rican firms, including manufacturing and other companies with weak infrastructure, saw over 1200 intrusions on a weekly average in 2021, according to Bleeping Computer. The gang responsible for the hack, Conti, claimed to have over 670GB of government data and this time targeted the Costa Rican government. Conti demanded rising ransoms from the Costa Rican government.

Even with the time they had between Conti’s threats and their decision to expose some of the data they had retrieved, the Costa Rican government’s lack of preparation for such widespread cyberattacks left them without the resources to incite any kind of incident response to lessen and limit the damage, and as a result, leaving Conti with the upper hand.

Why is Costa Rica under national emergency after the Conti ransomware cyberattack?

The national state of emergency was proclaimed by President Rodrigo Chaves Robles on May 8, the same day he assumed office as Costa Rica’s newly elected leader. Following the nation’s month-long battle with ransomware assaults that have badly damaged the economy, Chaves made the announcement. At the time, it was calculated that the country was losing at least $38 million every day due to the economy’s stagnation.

What is the Conti ransomware attack in Costa Rica?

On April 17th, 2022, Costa Rica became the victim of large-scale ransomware attacks initiated by Conti- a popular ransomware group. The hackers were initially targeting the country’s Ministry of Finance, which broke the news of the intrusion on Twitter on April 18th. At the time, Conti demanded a $10 million ransom, which the government declined to pay while still under Carlos Alvarado Quesada’s presidency. The Ministry of Finance was the first government body to be affected by Conti. The tax administration and customs services were rendered out-of-service, halting various digital financial services such as payments, taxpaying, services billing, and more.

After President Chaves’ public refusal to pay the ransom on May 8th, Conti proceeded to publish 97% of the data that they had been using as collateral on their website.

By May 16th, it had been confirmed that the number of institutions in Costa Rica that had been impacted had grown to twenty-seven, according to President Chaves. It was around this time that Conti doubled their ransom to $20 million, presumably feeling confident that the damage they had caused would be enough to pressure the government into bucking. The hacking group encouraged the citizens of Costa Rica to pressure their government into paying the requested amount, stating that if they failed to pay out the ransom by the 23rd of May, they would go on to delete the recovery keys, leaving the government and its people stranded.

At this time, Costa Rica contacted Joe Biden, the president of the United States, whose law enforcement offered a $15 million reward to anyone who could help identify and hunt down Conti by providing information about his activities.

Although the primary motivation behind ransomware is money gain, in the instance of Conti and Costa Rica as a target, the circumstances go beyond Costa Rica simply being a victim who was arbitrarily chosen owing to their network and infrastructure vulnerabilities. Even though Conti may not have intended to make a political statement, the geopolitical situation and their connection to Russia were key factors in Costa Rica’s ransomware attack.

After their publicized support for the Russian invasion of Ukraine, Conti lost a great deal of public support. “Their anti-US and anti-West statements attracted a lot of attention all around the world, exposing their political stance and turning away the support of organizations that previously funded them.

So the amount of ransom they collected in the last few months significantly declines,” says Guy Rosefelt, Chief Product Officer at Sangfor Technologies in a webinar, “The second thing that happened is that in order to maintain a low profile, targeting large companies and nations such as the United States was no longer a good idea, so they started targeting smaller countries in Latin America because they have less security, and less of a cyber response capability.”

Conti Ransomware Attack Costa Rica webinar

However, this didn’t quite lead to their redemption, so Conti saw it fit to use Costa Rica as an exit strategy. “They used the Costa Rican attack as their Swan Song. They knew they were going to have to go out soon so what they did was, after probing around Latin America, they figured out how to successfully infiltrate and attack Costa Rica.” And so, this was Conti’s finale before supposedly disbanding. The Costa Rica ransom would have been their final jackpot and saving grace had it been successful.

Of course, whether or not they achieved that goal does not mean that their operations have ceased altogether. It is well known that ransomware groups going away usually just means they’ve joined subgroups or other organizations. This would explain the “coincidental” cyber attack on Costa Rica’s public health service and social security fund- CSS in late May 2022.

The scale of this attack was just as damaging as it affected public health systems such as COVID-19 testing and tracking, and forced hospitals in the country to revert to pen and paper as a backup. HIVE is well-known for attacking global healthcare organizations, so this attack fits their modus operandi.
However, its alignment with Conti’s activities has continued to raise eyebrows, even though they denied affiliation with Conti on their website.

These attacks’ aftereffects are still being felt in Costa Rica, and it doesn’t appear that it will soon make a full recovery.