The Costa Rica Public Health Service, known as the Costa Rica Social Security Fund (CCSS), was forced to shut down its systems after being hit by Hive. ransomware.
AT statement on twitterThe CCSS said the attack began early Tuesday morning and is currently under investigation. He added that the attack did not affect several databases on wages and pensions, including the Unified Digital Health System and the Centralized Tax Collection System. In an address to local media, CCSS added that the Hive ransomware was deployed on at least 30 of the government’s 1,500 servers and that any recovery time estimates remain unknown.
Several employees CCSS said they were ordered to turn off their computers after all their printers started producing illegible documents. Another employee said that as a result of the attack, COVID-19 results could not be reported at this time.
The attack comes just weeks after Costa Rican President Rodrigo Chávez declared a national emergency in response to cyberattacks by Conti ransomware group. The Costa Rica Ministry of Finance was the first government agency to be hit by a Russia-linked hacker group, and in a May 16 statement, Chavez said the number of affected institutions had risen to 27 since then.
In a post published at the time on its dark web leak blog, Conti urged the citizens of Costa Rica to pressure their government to pay a ransom, which the group doubled from the original $10 million to $20 million. In a separate statement, the group warned: “We are determined to overthrow the government with a cyber attack, we have already shown you all the strength and power.”
Cybersecurity experts have speculated that the cybercriminals behind this latest Hive ransomware attack may have been working with the Conti gang to help the group rebrand and avoid international sanctions aimed at extorting payouts from cybercriminals operating in Russia.
According to the threat intelligence company AdIntel, Conti “can no longer adequately support and extort” due to its public loyalty to Russia in the early days of the Russian invasion of Ukraine and believes the group is in the process of shutting down. The official website of the gang and the site of the negotiation service went down, and the rest of the infrastructure, from chats to instant messengers and from servers to proxy hosts, experienced a massive reset.
As a result, AdvIntel believes the gang has formed alliances with other ransomware groups, including Hive, a ransomware-as-a-service (RaaS) operation that has been active since at least June 2021.
Brett Callow, ransomware expert and threat analyst at Emsisoft, tells TechCrunch: “The same person can be affiliated with both Conti and Hive, and possibly other RaaS operations as well. It is also possible that Conti and Hive developed a working relationship, as other researchers have argued.
“Some negotiating firms have refused to do deals with Conti as they have sided with Russia and threatened attacks on critical US infrastructure due to the risk of complications from OFAC/sanctions. Because of this, it is likely that the core team and/or affiliates want the attacks to be linked to other ransomware operations.”
Credit: techcrunch.com /