Q REPORTS (WIRED) For the last two months, Costa Rica has been under siege. Two major ransomware attacks have crippled many of the country’s essential services, plunging the government into chaos as it scrambles to respond.
Officials say that international trade ground to a halt as the ransomware took hold and more than 30,000 medical appointments have been rescheduled, while tax payments have also been disrupted. Millions have been lost due to the attacks, and staff at affected organizations have turned to pen and paper to get things done.
Costa Rica’s government, which changed midway through the attacks after elections earlier this year, has declared a “national emergency” in response to the ransomware—marking the first time a country has done so in response to a cyberattack. Twenty-seven government bodies were targeted in the first attacks, which ran from mid-April until the start of May, according to new president Rodrigo Chaves.
The second attack, at the end of May, has sent Costa Rica’s health care system into a spiral. Chaves has declared “war” on those responsible.
At the heart of the hacking spree is Conti, the notorious Russia-linked ransomware gang. Conti claimed responsibility for the first attack against Costa Rica’s government and is believed to have some links to the ransomware-as-a-service operation HIVE, which was responsible for the second attack impacting the health care system. Last year, Conti extorted more than $180 million from its victims, and it has a history of targeting health care organizations. However, in February thousands of the group’s internal messages and files were published online after it backed Russia’s war against Ukraine.
Even among Conti’s long rap sheet of more than 1,000 ransomware attacks, those against Costa Rica stand out. They mark one of the first times a ransomware group has explicitly targeted a nation’s government, and during the process Conti uncharacteristically called for the Costa Rican government to be overthrown. “This is possibly the most significant ransomware incident to date,” says Emsisoft threat analyst Brett Callow. “I can’t recall another occasion when an entire federal government has been held to ransom like this—it’s a first; it’s quite unprecedented.”
What’s more, researchers suggest that Conti’s brazen actions may just be callous showboating, enacted to draw attention to the group as it winds down its toxic brand name and its members move on to other ransomware efforts.
“National Emergency”
The first ransomware attack against Costa Rica’s government started during the week of April 10. Throughout the week, Conti probed the systems of the Ministry of Finance, known as Ministerio de Hacienda, explains Jorge Mora, a former director of the Ministry of Science, Innovation, Technology and Telecommunications (MICIT) who helped lead the response to the attacks. By the early hours of April 18, files within the finance ministry had been encrypted and two key systems had been crippled: the digital tax service and the IT system for customs control.
“They affect all the export/import services in the country of the products,” says Mora, who left the government on May 7 ahead of the administration change. Mario Robles, the CEO and founder of Costa Rican cybersecurity company White Jaguars, estimates that “several terabytes” of data and more than 800 servers at the finance ministry have been impacted. Robles says his company has been involved in the response to the attacks but says he cannot name who it has worked with. (The finance ministry did not respond to WIRED’s request for comment.)
“The private sector was very affected,” Mora says. Local reports say import and export businesses faced shipping container shortages and estimated losses range from $38 million per day up to $125 million over 48 hours. “The disruption paralyzed the imports and exports of the country, making a big impact on the commerce,” says Joey Milgram, a country manager for Costa Rica at cybersecurity company Soluciones Seguras. “They implemented, after 10 days, a manual form to import, but it was taking much paperwork and many days to process,” Milgram adds.
But the attack against the finance ministry was just the beginning. A timeline shared by Mora claims Conti attempted to breach different government organizations almost every day between April 18 and May 2. Local authorities, such as the Municipality of Buenos Aires, were targeted, as well as central government organizations, including the Ministry of Labor and Social Security. In some cases, Conti was successful; in others, it failed. Mora says the US, Spain, and private companies helped defend against Conti attacks, providing software and indicators of compromises related to the group. “That blocked Conti a lot,” he says. (In early May, the US posted a $10 million reward for information about Conti’s leadership.)
On May 8, Chaves started his four-year term as president and immediately declared a “national emergency” due to the ransomware attacks, calling the attackers “cyberterrorists.” Nine of the 27 targeted bodies were “very affected,” Chaves said on May 16. The MICIT, which is overseeing the response to the attacks, did not respond to questions about the progress of the recovery, despite originally offering to set up an interview.
“All the national institutions, they don’t have enough resources,” Robles says. During the recovery, he says, he has seen organizations running on legacy software, making it much harder to enable the services they provide. Some bodies, Robles says, “don’t even have a person working on cybersecurity.” Mora adds that the attacks show Latin American countries need to improve their cybersecurity resilience, introduce laws to make cyberattack reporting mandatory, and allocate more resources to protect public institutions.
But just as Costa Rica started getting a grip on the Conti attacks, another hammer blow struck. On May 31, the second attack started. The systems of the Costa Rican Social Security Fund (CCSS), which organizes health care, were taken offline, plunging the country into a new kind of disarray. This time the HIVE ransomware, which has some links to Conti, was blamed.
The attack had an immediate effect on people’s lives. Health care systems went offline and printers spewed out garbage, as first reported by security journalist Brian Krebs. Since then patients have complained of delays in getting treatment and the CCSS has warned parents whose children were undergoing surgery that they may have trouble locating their kids. The health service has also begun printing discontinued paper forms.
By June 3, CCSS had declared an “institutional emergency,” with local reports claiming that 759 of the 1,500 servers and 10,400 computers have been impacted. A spokesperson for CCSS says hospital and emergency services are now running normally and the efforts of its staff have maintained care. However, those seeking medical care have faced significant disruptions: 34,677 appointments have been rescheduled, as of June 6. (The figure is 7 percent of total appointments; the CCSS says 484,215 appointments have gone ahead.) Medical imaging, pharmacies, testing laboratories, and operating theaters are all facing some disruption.
The Death of Conti
There are questions about whether the two separate ransomware attacks against Costa Rica are linked. However, they come as the face of ransomware may be changing. In recent weeks, Russian-linked ransomware gangs have changed their tactics to avoid US sanctions and are fighting over their territory more than usual.
Conti first announced its attack on the finance ministry on its blog, where it publishes the names of its victims and, if they fail to pay its ransom, the files it has stolen from them. A person or group dubbing themselves unc1756—the “UNC” abbreviation is used by some security firms to indicate “uncategorized” attackers—used the blog to claim responsibility for the attack. The attacker demanded $10 million as a ransom payment, later upping the figure to $20 million. When no payment was made, they started uploading 672 GB of files to Conti’s website.
However, Conti’s behavior was more erratic and disturbing than usual—the attacker moved into politics. “I appeal to every resident of Costa Rica, go to your government and organize rallies,” one post on Conti’s blog said. “We are determined to overthrow the government by means of a cyber attack,” said another post addressed to Costa Rica and “US terrorists (Biden and his administration).”
“I think I never saw cyber criminals using, publicly at least, such rhetoric against any government,” says Sergey Shykevich, Threat Intelligence group manager at security firm Check Point, who also notes that Conti targeted Peru’s finance ministry and intelligence agency around the same time as the Costa Rica attacks. Shykevich says Conti’s behavior was criticized on Russian-language hacking forums, as getting into politics would draw more attention to cybercrime groups.
Some believe Conti’s attack against Costa Rica may have been designed as a distraction. On May 19, US-based cybersecurity firm AdvIntel declared Conti’s operations dead, saying the group had started dismantling its brand—but not its overall organizational structure—in early May. Citing visibility inside the gang, AdvIntel said the administration panel of Conti’s news website has been shut down. “The negotiations service site was also down, while the rest of the infrastructure, from chatrooms to messengers, and from servers to proxy hosts, was going through a massive reset,” AdvIntel said in a briefing.
Since Conti expressed its support for Vladimir Putin’s war in Ukraine and threatened to hack anyone who targeted Russia, the group has struggled to make money. “It is now considerably harder for them to extract payments from US victims,” Callow says. “Several negotiation firms will no longer transact with them for fear of breaking OFAC sanctions, and some companies won’t necessarily want to deal with them because they don’t want to be seen to be potentially sponsoring terrorism.” ADVIntel goes further, saying Conti couldn’t “sufficiently support and obtain extortion,” prompting the group to lash out.
Several weeks later, AdvIntel CEO Vitali Kremez says Conti’s services are still offline. The Costa Rica attack, at least in the eyes of AdVIntel, was meant to give Conti cover while it continued to rebrand itself and start using different types of ransomware. Despite this, Conti’s last reckless public act may leave a legacy. While cybercriminals may not choose to routinely attack national governments, a new precedent has been set. “Conti put their stamp on a new era in ransomware,” Check Point’s Shykevich says. “They proved and showed that a cybercrime group can do country extortion.”
Read the original at Wired
