Costa Rican government agencies hacked by Conti gang

The ransomware gang Conti, which is based in Russia, claimed credit for the attack, which began on 12 April, and has threatened to leak the stolen information unless it is paid $20 million.

Experts who track Conti’s movements said the group had recently begun to shift its focus from the United States and Europe to countries in Central and South America, perhaps to retaliate against nations that have supported Ukraine.

According to a New York Times report, some experts also believe Conti feared a crackdown by the United States and was seeking fresh targets, regardless of politics.

The group is responsible for more than 1,000 ransomware attacks worldwide that have led to earnings of more than $150 million, according to estimates from the Federal Bureau of Investigation (FBI).

According to Juan Andres Guerrero-Saade, a principal threat researcher at SentinelOne, the ransomware cartels figured out multinationals in the US and Western Europe are less likely to blink if they need to pay some ungodly sum in order to get their business running.

“At some point, you are going to tap out that space,” Guerrero-Saade said.

Whatever the reason for the shift, the hack showed that Conti was still acting aggressively despite speculation that the gang might disband after it was the target of a hacking operation in the early days of Russia’s war on Ukraine.

The criminal group, which pledged its support to Russia after the invasion, routinely targets businesses and local government agencies by breaking into their systems, encrypting data and demanding a ransom to restore it.

VIEW ALL

Brett Callow, a threat analyst at Emsisoft, added that that “it’s possibly the most significant ransomware attack to date”.

“This is the first time I can recall a ransomware attack resulting in a national emergency being declared,” Callow said.

Costa Rica has said it refused to pay the ransom.

The hacking campaign occurred after Costa Rica’s presidential elections and quickly became a political tool. The previous administration downplayed the attack in its first official news releases, portraying it as a technical problem and projecting an image of stability and calm. However, the newly elected president, Rodrigo Chaves, began his term by declaring a national emergency.

During a news conference this week, Chaves notably said “we are at war”, outlining that 27 government institutions had been affected by the ransomware attack with nine of them affected significantly.

The attack began on 12 April, according to Chaves’ administration, when hackers who said they were affiliated with Conti broke into Costa Rica’s Ministry of Finance, which oversees the country’s tax system. From there, the ransomware spread to other agencies that oversee technology and telecommunications, the government said this month.

Two former officials with the Ministry of Finance, who were not authorised to speak publicly, said the hackers were able to gain access to taxpayers’ information and interrupt Costa Rica’s tax collection process, forcing the agency to shut down some databases and resort to using a nearly 15-year-old system to store revenue from its largest taxpayers. Much of the nation’s tax revenue comes from a relatively small pool of about a thousand major taxpayers, making it possible for Costa Rica to continue tax collection.

The country also relies on exports, and the cyber attack forced customs agents to do their work solely on paper.

While the investigation and recovery are underway, taxpayers in Costa Rica are forced to file their tax declarations in person at financial institutions rather than relying on online services.

Chaves is a former World Bank official and finance minister who has promised to shake up the political system, and his government declared a state of emergency this month in response to the cyber attack, calling it “unprecedented in the country”.

In its emergency declaration, Chaves’ administration stated that the country is facing an “unavoidable disaster”.

“We are facing a situation of unavoidable disaster, of public calamity and internal and abnormal commotion that, without extraordinary measures, cannot be controlled by the government,” the Chaves administration said.

The government added that the state of emergency allows agencies to move more quickly to remedy the breach.

According to cyber security researchers, a partial recovery could take months, and that the government may not ever fully recover its data. The government may have backups of some of its taxpayer information, but it would take some time for those backups to come online, and the government would first need to ensure it had removed Conti’s access to its systems, researchers noted.

Paying the ransom would not guarantee a recovery because Conti and other ransomware groups have been known to withhold data even after receiving a payment.

“Unless they pay the ransom, which they have stated they have no intention of doing, or have backups that are going to enable them to recover their data, they are potentially looking at total, permanent data loss,” Callow from Emsisoft added.

When Costa Rica refused to pay the ransom, Conti began threatening to leak its data online, posting some files it claimed contained stolen information.

“It is impossible to look at the decisions of the administration of the president of Costa Rica without irony,” the Conti group wrote on its website.

“All this could have been avoided by paying,” they said.

Conti then raised the stakes, threatening to delete the keys to restore the data if it did not receive payment within a week.

With governments, intelligence agencies and diplomatic circles, the debilitating part of the attack is really not the ransomware, Guerrero-Saade at SentinelOne noted, but it’s the “data exfiltration”.

“You’re in a position where presumably incredibly sensitive information is in the hands of a third party,” Guerrero-Saade said.

The breach, among other attacks carried out by Conti, led the US State Department to join with the Costa Rican government to offer a $10 million reward to anyone who provided information that led to the identification of key leaders of the hacking group.

In a statement, Ned Price, US State Department Spokesman, outlined the group perpetrated a ransomware incident against the government of Costa Rica that severely impacted the country’s foreign trade by disrupting its customs and taxes platforms.

“In offering this reward, the United States demonstrates its commitment to protecting potential ransomware victims around the world from exploitation by cyber criminals,” Price said.

[Related: US DOJ charges Venezuelan doctor for use and sale of Thanos ransomware]