Many of the targeted government bodies have received ransom demands. Authorities are yet to fully evaluate the extent of the attacks, and it is unclear exactly how much government and taxpayer data stands compromised at the moment.
Details of the Conti Ransomware Attack
In April, multiple Costa Rican government bodies were the targets of cyberattacks that shut down their computer networks. A Conti threat actor identified as “unc1756” has claimed responsibility for the attack. In a post on Conti’s leak site, the hacker claimed sole responsibility for the attack, saying they worked with an affiliate but didn’t receive support from any government or organized team. About 672 GB of data is believed to have been compromised in the attack. Over 97% of the stolen data has already been dumped on Conti’s leak site. The hacker blamed the leaders of the Central American country for the extensive cyberattacks and data leak, as authorities failed to comply with ransom demands. They threatened to carry out more damaging attacks, describing the attack on Costa Rica as a “demo version.” “The purpose of the attack was to earn money, in the future I will definitely carry out attacks of a more serious format with a larger team,” the hacker said in a post. Costa Rica’s Finance Ministry was the first target and received a $10 million ransom demand, which it refused to pay. The government bodies listed below were subsequently targeted by the hacker.
Ministerio de Hacienda (Finance Ministry) MTSS (Ministry of Labor and Social Security) FODESAF (Social Development and Family Allowances Fund) SIUA (Interuniversity Headquarters of Alajuela) JASEC (Administrative Board of the Electrical Service of the province of Cartago) MICITT (Ministry of Science, Innovation, Technology, and Telecommunications) IMN (National Meteorological Institute) RACSA (Radiographic Costarricense) CCSS (Costa Rican Social Security Fund)
New President Declares National Emergency
The cyberattacks have disrupted government services such as tax collection and government employee payments. The country’s customs agency said its imports and exports operations have collapsed. In response to the attack, the CCSS, which is the country’s public health agency, said it is carrying out a perimeter security review. After his swearing-in ceremony on May 8, Costa Rica’s new President Rodrigo Chaves decided that addressing the tumultuous situation requires a heavy-handed approach. “The attack that Costa Rica is suffering from cybercriminals, cyberterrorists is declared a national emergency and we are signing this decree, precisely, to declare a state of national emergency in the entire public sector of the Costa Rican State and allow our society to respond to these attacks as criminal acts,” President Chaves said. “We signed the decree so that the country can defend itself from the criminal attack that cybercriminals are making [against] us. That is an attack on the Homeland and we signed the decree to have a better way of defending ourselves,” he added.
Who Is Behind the Conti Ransomware Attacks?
Conti is a ransomware-as-a-service operation that has been linked to the Russia-based Wizard Spider cybercrime group. The same group is behind other notorious malware such as Ryuk, TrickBot, and BazarLoader. Hackers using Conti ransomware have targeted the U.S. healthcare system in the past and have actively declared their support for Russia’s invasion of Ukraine. Last week, the United States Department of State offered a bounty of up to $10 million for information pertaining to the identities or locations of individuals who hold leadership positions in the Conti cybercrime group. There is also a $5 million reward for any information that could potentially lead to the arrest or conviction of anyone affiliated with the group. If you found this story interesting and want to educate yourself on how notorious groups like Conti operate, check out our article on ransomware-as-a-service (RaaS).
