QCOSTARICA – The hacking that the Caja Costarricense de Seguro Social (CCSS) suffered early Tuesday is having a direct impact on patients, impacting care for thousands of policyholders, especially since the entity’s instruction is that they should not turn on computers.
The Caja’s executive president, Álvaro Ramos, was emphatic that it was their decision to shut down the computers as a preventive measure while the IT department try to measure the scope of the hack.
At a press conference on Tuesday, Ramos said they do not know when the computer servers will recover after the cyber attack.
Of the institution’s 1,500 computer servers, 30 were affected. The Caja guarantees that there was no leakage of sensitive information and announced that in a few days it will know how compromised the systems are.
Ramos added that the attack was exceptionally violent, to the point it was inevitable that systems such as EDUS and Sicere would be affected.
What happened?
The CCSS reported the attack at around 6 am Tuesday. The director of the Directorate of Information and Communication Technologies, Roberto Blanco, reported that the corresponding analyzes are currently being carried out to determine the scope of the cyber attack.
“The entity added that it is working to restore critical services, “but it is not yet possible to determine when they will be in operation. For now, preventively all systems have been lowered.
“We are working with the entire specialized team to determine the course and how to lift the critical systems,” said Blanco.
The Costa Rican 🇨🇷 Caja Costarricense de Seguro Social (CCSS – Costa Rican Social Security Fund) suffered a #ransomware attack on May 31. While sources report that #HiveLeaks is responsible, the group has not posted any information about the alleged attack
Via @Randall44643938 pic.twitter.com/R6geOVbWAf
— BetterCyber (@_bettercyber_) May 31, 2022
Through Twitter, the account specialized in cyberattacks, Bettercyber, posted that there are sources that indicate that the Hive Ramsonware Group is responsible for this attack.
The Caja confirmed that Hive software was indeed detected. The Hive Group was detected for the first time in June 2021, and it usually attacks various sectors, mainly institutions or companies associated with health.
👇 Link to the press conference held by CCSS authoritieshttps://t.co/zdbRv04d4h
— BetterCyber (@_bettercyber_) May 31, 2022
Conti attacks
The CCSS comes after Costa Rica declared a national emergency following Conti ransomware attacks that hit multiple government institutions.
The first alert of suspicious activity was detected at the Ministerio de Hacienda (Ministry of Finance) on Sunday, April 17.
The previous government began dragging its feet until accepting that it had been hacked.
The list of government entities hit by Conti affiliates also includes, in addition to the Ministerio de Hacienda, entities such as:
- Ministerio de Trabajo
- Fondo de Desarrollo Social y Asignaciones Familiares (Fodesaf)
- Instituto Meteorológico Nacional (IMN)
- Radiográfica Costarricense (Racsa)
- Sede Interuniversitaria de Alajuela (SIUA)
- Instituto de Desarrollo Rural (Inder)
- Junta Administrativa del Servicio Eléctrico de Cartago (Jasec)
- Fábrica Nacional de Licores (Fanal)
- Municipalidad de Santa Bárbara, Buenos Aires, Garabito and Alajuelita
“The attack that Costa Rica is suffering from cybercriminals is declared a national emergency and we are signing this decree, precisely, to declare a state of national emergency throughout the public sector of the Costa Rican State and allow our society to respond to these attacks as criminal acts,” said Costa Rican President Rodrigo Chaves when signing the Executive Decree on May 8, one of his first acts following his investiture.
The Conti gang has demanded a US$10 million ransom from the Costa Rica government which it has declined to pay.
The U.S. government is now offering rewards of up to US$15 million to anyone who can provide information that can lead to the identification and arrest of Conti ransomware’s leadership and operators.
Evidence links Hive to Conti Group, but criminals deny it. Sites specialized in cybersecurity reported weeks ago that, after the announcement of a million-dollar reward from the FBI after the massive computer attack on the Government of Costa Ricato, the criminals from that organization began to migrate to other smaller ones or founded some of their own and that Conti had begun a slow process of closing operations.
Bleeping Computer LLC reported that some of its hackers migrated to organizations like Hive, HelloKitty, AvosLocker, BlackCat, BlackByte, and others. However, Hive Ramsomware Group has refused to be linked to Conti, despite the fact that once the process of closing operations began and its hackers moved to that other criminal group, the organization began the tactic of publishing the leaked data on the deep web, just like Conti did.
