Conti Ransomware Attack Spurs State of Emergency in Costa Rica

The threat group has leaked data that it claims was stolen in the breach and is promising more government-targeted attacks.

Costa Rican President Rodrigo Chaves declared a state of national cybersecurity emergency over the weekend following a financially motivated Conti ransomware attack against his administration that has hamstrung the government and economy of the Latin American nation.

The attack—attributed to the prolific Conti ransomware group–occurred three weeks ago not long after Chaves took office; in fact, the state of emergency was one of his first decrees as president. The first government agency attacked was the Ministry of Finance, which has been without digital services since April 18, according to a published report.

Other Costa Rican agencies affected include the Ministry of Labor and Social Security; the Ministry of Science, Innovation, Technology and Telecommunications; the National Meteorological Institute, among others. At this time, the entire scope of the damage is not known.
Infosec Insiders NewsletterConti reportedly demanded a ransom of $10 million from Costa Rica’s government in exchange for not releasing stolen information from the Ministry of Finance, according to a published report. Costa Rica so far has declined to pay, which resulted in Conti updating its data-leak site on Monday with 97 percent of the 672 GB of data that the group claims contains information stolen from Costa Rican government agencies, BleepingComputer  reported.

Conti—a top-tier Russian-speaking ransomware group–is known as one of the most ruthless gangs in the game, with a take-no-prisoners approach specializing in double extortion, a method in which attackers threaten to expose stolen data or use it for future attacks if victims don’t pay by a deadline.

Conti acts on a ransomware-as-a-service (RaaS) model, with a vast network of affiliates and access brokers at its disposal to do its dirty work. The group also is known for targeting organizations for which attacks could have life-threatening consequences, such as hospitals, emergency number dispatch carriers, emergency medical services and law-enforcement agencies.

The attack on Costa Rica could be a sign of more Conti activity to come, as the group posted a message on their news site to the Costa Rican government that the attack is merely a “demo version.” The group also said the attack was solely motivated by financial gain as well as expressed general political disgust, another signal of more government-directed attacks.

Next-Level Incident

The incident demonstrates how a cyber-attack can potentially be as serious as a military action or a natural disaster especially when it affects a developing nation like Costa Rica, a security professional observed.

“Costa Rica’s state-of-emergency following an attack from Conti is an important rallying call to the rest of the world,” Silas Cutler, principal reverse engineer for security firm Stairwell, wrote in an e-mail to Threatpost. “While the emergency status may have a limited direct impact … it puts the severity of this breach into the same category as a natural disaster or military incident.”

The double-extortion aspect of not only Conti’s but also a number of other ransomware group’s methods also can embolden more ransomware attacks because most targeted organizations will pay rather than risk the leak of sensitive data—providing more incentive to threat actors, noted another security professional.

“It is a large reason why most victims are paying today,” observed Roger Grimes, data-driven defense evangelist for security firm KnowBe4, in an email to Threatpost.

Conti likely has every employee’s personal login credentials to any Costa Rican government site that they visited during the time the ransomware was active on the system before it locked files, which poses a big problem for citizens using government services online if Conti indeed has leaked the info, he said.

“If Costa Rica was hosting customer-facing websites in the compromised domains, like they likely were, their customers’ credentials–which are often reused on other sites and services the customers visit–are likely compromised, too,” Grimes said. “Not paying the ransom puts not only Costa Rica’s own services at risk, but those of their employees and customers.”

Indeed, last year the city of Tulsa, OK, put its citizens on alert for potential cyber fraud after Conti leaked some 18,000 city files, mostly police citations, on the dark web following a ransomware attack on the city’s government.

U.S. Offering Aid

To help prevent future attacks like the one on Costa Rica, the U.S. government said last week that it’s offering a hefty reward–up to $10 million–for information leading to the identification and/or location of any of Conti Group’s leaders. The U.S. also will offer up to $5 million for info that can lead to the arrest or conviction of anyone conspiring in a Conti ransomware attack.

To date, Conti has been responsible for hundreds of ransomware incidents over the past two years, with more than 1,000 victims paying more than $150 million to the group, according to the FBI. This gives Conti the dubious honor of being the costliest ransomware strain ever documented, according to the feds.

While authorities pursue Conti, governments can take a number of steps to prevent ransomware attacks, security professionals noted. One is to adopt a cultural change when it comes to cybersecurity, observed Chris Clements, vice president of solutions architecture at security firm Cerberus Sentinel.

Governments should shift their focus from the historic mentality of cyber-security as an “IT cost center” toward one that views it as “a culturally ingrained approach that identifies cybersecurity investment, both in tools and people, as a critical strategic defensive shield,’ he said in an email to Threatpost.

“Until this changes, the problem of cyber-attack is going to get worse before it gets any better,” Clements said in an email to Threatpost.

Governments also can take proactive steps such as conducting perimeter reviews as a means of mitigating some of the methods Conti-affiliated access brokers use to infiltrate systems, Cutler suggested. This can better secure their perimeters and allow them to react faster to attacks.

However, even this “will not fully prevent these types of attacks” given the network of affiliates and access brokers that RaaS groups like Conti have at its disposal to breach systems, he said.

Suggested articles