Conti’s Attack Against Costa Rica Sparks a New Ransomware Era

Advertisement

For the last two months, Costa Rica has been under siege. Two major ransomware attacks have crippled many of the country’s essential services, plunging the government into chaos as it scrambles to respond. Officials say that international trade ground to a halt as the ransomware took hold and more than 30,000 medical appointments have been rescheduled, while tax payments have also been disrupted. Millions have been lost due to the attacks, and staff at affected organizations have turned to pen and paper to get things done.

Costa Rica’s government, which changed midway through the attacks after elections earlier this year, has declared a “national emergency” in response to the ransomware—marking the first time a country has done so in response to a cyberattack. Twenty-seven government bodies were targeted in the first attacks, which ran from mid-April until the start of May, according to new president Rodrigo Chaves. The second attack, at the end of May, has sent Costa Rica’s health care system into a spiral. Chaves has declared “war” on those responsible.

Advertisement

At the heart of the hacking spree is Conti, the notorious Russia-linked ransomware gang. Conti claimed responsibility for the first attack against Costa Rica’s government and is believed to have some links to the ransomware-as-a-service operation HIVE, which was responsible for the second attack impacting the health care system. Last year, Conti extorted more than $180 million from its victims, and it has a history of targeting health care organizations. However, in February thousands of the group’s internal messages and files were published online after it backed Russia’s war against Ukraine.

Even among Conti’s long rap sheet of more than 1,000 ransomware attacks, those against Costa Rica stand out. They mark one of the first times a ransomware group has explicitly targeted a nation’s government, and during the process Conti uncharacteristically called for the Costa Rican government to be overthrown. “This is possibly the most significant ransomware to date,” says Emsisoft threat analyst Brett Callow. “I can’t recall another occasion when an entire federal government has been held to ransom like this—it’s a first; it’s quite unprecedented.”

Advertisement

What’s more, researchers suggest that Conti’s brazen actions may just be callous showboating, enacted to draw attention to the group as it winds down its toxic brand name and its members move on to other ransomware efforts.

“National Emergency”

The first ransomware attack against Costa Rica’s government started during the week of April 10. Throughout the week, Conti probed the systems of the Ministry of Finance, known as Ministerio de Hacienda, explains Jorge Mora, a former director of the Ministry of Science, Innovation, Technology and Telecommunications (MICIT) who helped lead the response to the attacks. By the early hours of April 18, files within the finance ministry had been encrypted and two key systems had been crippled: the digital tax service and the IT system for customs control.

“They affect all the export/import services in the country of the products,” says Mora, who left the government on May 7 ahead of the administration change. Mario Robles, the CEO and founder of Costa Rican cybersecurity company White Jaguars, estimates that “several terabytes” of data and more than 800 servers at the finance ministry have been impacted. Robles says his company has been involved in the response to the attacks but says he cannot name who it has worked with. (The finance ministry did not respond to WIRED’s request for comment.)

“The private sector was very affected,” Mora says. Local reports say import and export businesses faced shipping container shortages and estimated losses range from $38 million per day up to $125 million over 48 hours. “The disruption paralyzed the imports and exports of the country, making a big impact on the commerce,” says Joey Milgram, a country manager for Costa Rica at cybersecurity company Soluciones Seguras. “They implemented, after 10 days, a manual form to import, but it was taking much paperwork and many days to process,” Milgram adds.

Advertisement