It’s been a rough start for the newly-elected Costa Rica president Rodrigo Chaves, who less than a week into office declared his country “at war” with the Conti ransomware gang.
“We’re at war and this is not an exaggeration,” Chaves local told media. “The war is against an international terrorist group, which apparently has operatives in Costa Rica. There are very clear indications that people inside the country are collaborating with Conti.”
Conti’s assault on the Costa Rican government began in April. The country’s Finance Ministry was the first hit by the Russia-linked hacking group, and in a statement on May 16, Chaves said the number of institutions impacted had since grown to 27. This, he admitted, means civil servants wouldn’t be paid on time and impact the country’s foreign trade.
In a message posted to its dark web leaks blog, Conti urged the citizens of Costa Rica to pressure their government to pay the ransom, which the group doubled from an initial $10 million to $20 million. In a separate statement, the group warned: “We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power.”
Conti is among the most prolific hacking groups. The FBI warned earlier this year that the gang was among “the three top variants” that targeted businesses in the United States attacks, and it has been blamed for ransomware targeting dozens of businesses, including Fat Face, Shutterfly, and the Irish healthcare service.
But Conti has picked up its pace in recent months: in January and February it published 31 victims on its leaks blog. In March and April, it posted 133 victims.
Why Costa Rica?
Some believe that Conti’s campaign against Costa Rica is motivated for siding with Ukraine. Experts say all signs point to money.
Brett Callow, a ransomware expert and threat analysis at Emsisoft, told TechCrunch that “there’s no reason to believe that the attack on Costa Rica is other than financially-motivated.” And Maya Horowitz, the vice president of research at Check Point Software, said based on their research, Conti’s extortion planning is “very focused and based on the ability of the victim to pay.”
Chaves has repeatedly blamed the attack on his predecessor, former president Carlos Alvarado, for not investing in cybersecurity. While it’s unclear exactly what measures the country had implemented to protect against cyberattacks, Jorge Mora, the country’s director of digital governance recently said that four million hacking attempts were recently blocked thanks to “protection systems” installed across institutions.
But it’s more likely that Costa Rica was just unlucky and targeted as part of a wider operation rather than due to any perceived weakness.
“Situations like this reflect the asymmetric realities of attack and defense where attackers only need to be lucky once,” Jamie Boote, a software security consultant at the Synopsys Software Integrity Group, told TechCrunch. “If one in one hundred targets becomes a victim that can pay out millions in ransom, then it pays to target hundreds.”
Callow adds that it’s also possible that Conti targeted Costa Rica due to the increased success US and European law enforcement have seen in disrupting their operations.
“They may not make as much money off attacks in countries like Costa Rica and Peru, but they’re not going to end up with a multi-million dollar bounty on their heads or with US Cyber Command in their servers,” said Callow. “Less gain, less risk. Or, at least, that’s what they may believe.”
An inside job?
In a message posted to its dark web blog over the weekend, Conti claimed it had “insiders in [the Costa Rican] government”, which could go some way to explaining why the country became a target, or why the attack had such a devastating impact. This claim was echoed by President Chaves earlier this week, saying “there are very clear indications that people within the country are collaborating with Conti.”
However, security experts tell TechCrunch that Conti’s claims should be treated with a heavy dose of skepticism.
“Dark web records reveal a user by this moniker has only been active on a popular cybercrime forum since March 2022 — around a month before the attacks on Costa Rica started,” Louise Ferrett, threat analyst from Searchlight Security, tells TechCrunch. “So, while it’s possible Conti could have bribed or socially engineered insiders within the country’s government, it seems unlikely they would have amassed so much influence so quickly.”
“It is a known tactic for ransomware gangs to make exaggerated and outlandish threats in order to instill a sense of urgency in the victim and obtain a ransom payment,” Ferrett said.
What — or who — is next?
“The success of these attacks should concern smaller governments around the world,” Allan Liska, an intelligence analyst at Recorded Future tells TechCrunch. He added:
While many ransomware groups won’t touch national governments, others, like Conti feel they are untouchable and will go after whatever victim they want because they assume there will be no consequences. This is going to be an bigger problem and governments have to take firm action against ransomware actors. These are non-nation-state groups engaging in essentially nation-state-style attacks and there should be appropriate repercussions for these actions.
This is a viewpoint shared by Callow, who tells TechCrunch that we can expect to see organizations in countries outside of the US receive more attention from ransomware gangs, particularly in low-income countries where cybersecurity spending is lower. “The US public and private sectors are vulnerable to cyberattacks, and may be even more vulnerable in other countries,” he said.
Conti’s attack against Costa Rica is ongoing. In a post on FridayConti said it will delete the encryption keys used to lock Costa Rica’s government systems on May 23. As of the time of writing, Costa Rica’s government has refused to give in to Conti’s ransom demands.
But we are already seeing the emergence of similar attacks on smaller nation states. Greenland’s government this week confirmed that the island’s hospital system was “severely” impacted by a cyberattack, which has meant that hospital workers cannot access any patient medical records.