For the last Costa Rica has been under siege for two months. Two main ransomware the attacks have wreaked havoc on many of the country’s essential services, throwing the government into chaos as it struggles to respond. Officials say international trade has ground to a halt due to the ransomware virus and more than 30,000 medical visits have been rescheduled and tax payments have also been thwarted. Millions of people have been lost to the attacks, and employees of affected organizations have turned to pen and paper to get things done.
The Costa Rica government, which changed midway through the attacks after elections earlier this year, has declared a “national emergency” in response to ransomware, the first time the country has done so in response to a cyberattack. According to new President Rodrigo Chávez, during the first attacks, which lasted from mid-April to early May, 27 government agencies were affected. A second attack at the end of May caused Costa Rica’s healthcare system to go into a spiral. Chaves declared “war” on the guilty.
At the heart of hacker fun lies Conti, a notorious Russian-linked extortion gang. Conti claimed responsibility for the first attack on the Costa Rican government and is believed to have some ties to ransomware Operation HIVE, which was responsible for the second attack affecting the healthcare system. Last year Conti extorted over $180 million from his victims and he has a history of targeting health organizations. However, in February, thousands of band members internal messages and files were published on the Internet after supporting Russia’s war against Ukraine.
Even among Conti’s long track record of over 1000 ransomware attacks, those who are against Costa Rica stand out. This is one of the first times a ransomware group has explicitly targeted a government, and in the process, Conti uncharacteristically called for the overthrow of the Costa Rican government. “This is arguably the most serious ransomware to date,” says Emsisoft Threat Analyst Brett Callow. “I can’t think of another case where the entire federal government demanded such a ransom – this is the first time; it’s completely unprecedented.”
What’s more, the researchers speculate that Conti’s brazen actions may just be a heartless sham done to draw attention to the group as it abandons its toxic trademark and its members move on to other ransomware.
The first ransomware attack against the government of Costa Rica began within a week of April 10th. For a week, Conti investigated the systems of the Ministry of Finance, known as Ministerio de Hacienda, explains Jorge Mora, former director of the Ministry of Science and Innovation. , Technology and Telecommunications (MICIT) that helped respond to attacks. By the morning of April 18, files at the Ministry of Finance were encrypted and two key systems were damaged: the digital tax office and the IT system for customs control.
“They affect all export-import services in the country where the goods are produced,” says Mora, who left the government on May 7 before the change of administration. Mario Robles, CEO and founder of Costa Rican cybersecurity firm White Jaguars, believes “several terabytes” of data and more than 800 servers at the Treasury Department were affected. Robles says his company was involved in responding to the attacks, but cannot name who it worked with. (The Treasury Department did not respond to WIRED’s request for comment.)
“The private sector has been hit hard,” Mora says. Local reports say import and export businesses have faced lack of shipping containers and estimated losses range from 38 million dollars a day up to $125 million in 48 hours. “The disruption paralyzed the country’s imports and exports, which had a big impact on trade,” says Joey Milgram, area manager for Costa Rica at cybersecurity firm Soluciones Seguras. “After 10 days, they implemented a manual import form, but it took a lot of paperwork and many days,” adds Milgram.
But the attack on the Treasury was only the beginning. The timeline Mora shared claims that Conti tried to hack into various government organizations almost every day between April 18 and May 2. Local authorities such as the Municipality of Buenos Aires were targeted, as were central government organizations, including Ministry of Labor and Social Protection. In some cases, Conti was successful; in others it failed. Mora says the US, Spain and private companies helped Conti defend against attacks by providing software and indicators of compromise related to the group. “It blocked Conti a lot,” he says. (In early May, the US published $10 million reward for information on Conti’s leadership.)
On May 8, Chavez began his four-year term as president and immediately declared a “national emergency” over ransomware attacks, calling the perpetrators “cyber terrorists.” Nine of the 27 targeted bodies were “heavily affected,” Chavez said May 16. MIIT, which oversees the response to the attacks, did not respond to questions about the progress of the recovery, despite initially offering to arrange interviews. .
“All the national institutions don’t have enough resources,” says Robles. During the recovery, he said, he saw organizations running outdated software, making it much more difficult to deliver the services they provide. In some bodies, according to Robles, “there is not even a person involved in cybersecurity.” Mora adds that the attacks show that Latin American countries need to increase their cybersecurity resilience, pass laws making cyberattack reporting mandatory, and allocate more resources to protect government institutions.
But just as Costa Rica began to control Conti’s attacks, another hammer blow was struck. On May 31, the second attack began. The systems of the Costa Rican Social Security Fund (CCSS), which organizes health care, have been shut down, plunging the country into a new kind of turmoil. This time, the HIVE ransomware, which has some connections with Conti, was accused.
The attack had a direct impact on people’s lives. Health systems shut down and printers started throwing out trash, first reported security journalist Brian Krebs. Since then, patients have complained about delays in receiving treatment, and CCSS has been warning parents whose children have had surgery that they you may have trouble finding your children. The health service also started printing discontinued paper forms.
By June 3rd CCSS announced “institutional emergency”, with local reports claiming that 759 out of 1500 servers and 10,400 computers were affected. A CCSS spokesperson said the hospital and emergency services are currently operating as normal and the efforts of their staff continue to provide care. However, those seeking medical care have experienced significant disruption, with 34,677 appointments rescheduled as of June 6. and all operating rooms experienced some disruptions.
There are questions about whether two separate ransomware attacks on Costa Rica are related. However, they appear because the face of ransomware can change. In recent weeks, Russia-linked extortionist gangs changed their tactics to avoid US sanctions and are fighting for their territory more than usual.
Conti first announced its attack on the Treasury Department on its blog, where it posts the names of its victims and, if they don’t pay the ransom, the files it stole from them. A person or group calling themselves unc1756 – the abbreviation “UNC” is used by some security firms to identify “unclassified” intruders— used the blog to claim responsibility for the attack. The attacker demanded $10 million in ransom, later increasing the figure to $20 million. When the payment failed, they started uploading 672 GB of files to the Conti website.
However, Conti’s behavior was more erratic and disturbing than usual – the attacker had gone into politics. “I appeal to all residents of Costa Rica, go to your government and organize rallies,” one of Conti’s blog posts. said. “We are determined to bring down the government with a cyberattack,” reads another message directed at Costa Rica and “US terrorists (Biden and his administration).”
“I don’t think I have ever seen cybercriminals use, at least publicly, such rhetoric against any government,” says Sergey Shikevich, head of the Threat Intelligence team at security firm Check Point, who also notes that Conti targeted the Peruvian Ministry of Finance and intelligence agencies. around the same time that Costa Rica attacks. Shikevich says Conti’s behavior has been criticized in Russian-language hacker forums because involvement in politics would draw more attention to cybercriminals.
Some believe that Conti’s attack on Costa Rica may have been intended as a distraction. May 19 US cybersecurity firm AdvIntel announces termination of Conti operations, saying the group began to dismantle its brand, but not its overall organizational structure, in early May. Citing notoriety within the gang, AdvIntel reported that the admin panel of the news site Conti had been shut down. “The chat service site was also down, while the rest of the infrastructure, from chats to instant messengers and from servers to proxy hosts, was subjected to a massive reboot,” AdvIntel said in a statement. briefing.
As Conti voiced its support for Vladimir Putin’s war in Ukraine and threatened to hack into anyone who targets Russia, the group has struggled to make money. “Now it’s much more difficult for them to receive payments from US victims,” Callow says. “Some negotiating firms will no longer deal with them for fear of violating OFAC sanctionsand some companies won’t necessarily want to do business with them because they don’t want to be seen as potentially sponsoring terrorism.” ADVIntel goes even further, stating that Conti cannot “enough support and extortion”, prompting the group to lash out at him.
A few weeks later, AdvIntel CEO Vitaly Kremez reported that Conti’s services were still down. The attack in Costa Rica, at least in AdVIntel’s eyes, was supposed to give Conti a cover while the company continued to rebrand and began using different types of ransomware. Despite this, Conti’s latest reckless public act may leave a mark. Although cybercriminals cannot regularly attack national governments, a new precedent has been set. “Conti ushered in a new era of ransomware,” says Check Point’s Shikevich. “They have proven and shown that a group of cybercriminals can engage in extortion in the country.”
Credit: www.wired.com /