RansomWar in Costa Rica – Conti Ransomware Gang Attacks
Conti, one of today’s most prolific and profitable ransomware groups, launched an initial cyberattack against Costa Rica in mid-April. In recent weeks, the Russian-speaking Conti gang, or possibly an associated group called Hive, have stepped up the attacks and expanded the assault. After Costa Rica refused to pay the initial $10 million ransom or the subsequently doubled ransom demand, the hackers released nearly 700 gigabytes of data from the country’s government servers.
Over the weeks, the story has evolved in ways that offer both more clarity and confusion. Either way, this attack should serve as a stark warning for private businesses and governments alike.
Who is Conti?
Similar to ReEvil, Conti makes its ransomware-as-a-service (RaaS) infrastructure available to affiliate groups who essentially rent the service, launch attacks, and share the profits with Conti.
Conti’s has been active since 2020, with past attacks launched against Ireland’s nationalized health services, the Scottish Environmental Protection Agency, and New Zealand’s Waikato District Health Board. Conti, which targets companies with annual revenues over $100 million, amassed over $180 million in revenue in 2021. The group’s leaders are thought to be Russian and have publicly stated their support for Russia, noting that anyone who stands against the country is a viable target.
What happened in Costa Rica?
On April 18th, Costa Rica’s Finance Ministry reported that its tax collection and import and export systems were affected by a cyberattack. That was quickly followed by additional attacks on the country’s social security agency and Labor Ministry. The Conti gang claimed responsibility, demanding a $10 million ransom to end the double extortion plot, which consisted of first stealing and encrypting the files and then exposing the files on Conti’s extortion site.
Government agencies were forced to shut down essential systems, triggering severe interruptions to government-based payments to employees, pensioners, and grant recipients. The customs agency’s import and export logistics, valued at $38 million per day, were also disrupted. The country had to declare a state of emergency. By Friday of that week, and without payment from Costa Rica, Conti released half of the stolen data.
While Costa Rica struggled to get systems back online, many believed they had seen the full extent of the attack. However, on May 31st, the country announced that another group, known as Hive, launched a second attack against the Costa Rican Social Security Fund (CCSS) but, as this breach is so new, the full extent is not yet known.
According to the government, the attack has affected 27 government institutions so far. Conti says it has published 95% of all of the stolen data.
Why would Conti attack Costa Rica?
Costa Rica is a popular tourist destination and not generally thought of as a country with overbearing or extended political reach, which begs the question: why launch an attack against such an unassuming country? Industry experts are floating about quite a few theories.
Theory 1: Some security experts feel that the motivation was a crime of opportunity rather than financial gain. They believe the attackers were looking for vulnerabilities and weaknesses, simply striking when they found them in the government systems.
Theory 2: Due to the timing of the first attack, some think it was an attempt to destabilize the country during a time of transition or overthrow the government altogether.
Theory 3: Based on internal Conti communications it saw, cyber intelligence firm ADVIntel believes that the attack was a smokescreen created to remind the public of the group’s prominent and lucrative collective, all while the leadership worked behind the scenes to dismantle the group and join other ‘friendly’ ransomware gangs.
Theory 4: Costa Rica has publicly rejected the Russian invasion of Ukraine. Since Conti has aligned itself with Russia and against all who oppose Russia, some experts postulate that the motivation is political. This would explain why the gang was working with Hive. Any businesses that wanted to pay Conti’s ransom couldn’t due to the economic sanctions against Russia; however, they could pay Hive.
What’s being done?
As with most of these RaaS attacks, not much can be done after the fact. As of the writing of this post, Costa Rica still has not paid any ransom and is working to bring its systems back online.
The US Department of State is offering a $10 million reward for information that leads to the location or identity of Conti leadership and $5 million for info leading to the arrest of anyone attempting to work with Conti.
How can you protect your business?
Even though Conti’s attacks were against $100+ million-dollar government entities, every business is a target for attackers, no matter the size. Remember, we’re talking about criminals with no moral clause. The rise in ransomware-as-a-service (RaaS) is nothing short of stunning, so every company needs to take these threats and general cybersecurity seriously.
Ensuring that you have backups can help you avoid the need to pay for a decryption key, but it won’t prevent an attack. That said, the best approach to cybersecurity is to implement the right preventative measures using the most efficient solutions. With that working for you, you’ll be able to stop attacks before any damage is done.
Another measure to take is to prioritize identity and access privileges which will prevent unauthorized users or bots from accessing systems when they won’t meet the proper parameters.
Continuously monitoring your network and performing proactive threat hunting activities will help you catch intrusions early and react as soon as possible should an attack breach your perimeter.