Costa Rica has been making headlines over the last few months, especially after President Rodrigo Chaves Robles declared a national state of emergency. The declaration followed a series of ransomware attacks that halted Costa Rica’s economy, affecting several branches of government and the public sector at large.
For many, this comes as no surprise in Latin America, and subsequently, Costa Rica is known to have below-average cybersecurity infrastructure and is no stranger to cyberattacks. According to Bleeping Computer, in the year 2021 alone, it was recorded that on average, most organizations in Costa Rica suffered over 1200 cyberattacks on a weekly basis, ranging from manufacturers to other businesses with penetrable infrastructure. This time, however, the attack was directed at the government of Costa Rica, with the group behind it- Conti, demanding increasing ransoms from the Costa Rican government after claiming to possess over 670GB of government data.
Even with the time they had between Conti’s threats and their decision to expose some of the data they had retrieved, the Costa Rican government’s lack of preparation for such widespread cyberattacks left them without the resources to incite any kind of incident response to lessen and limit the damage, and as a result, leaving Conti with the upper hand.
So, what exactly happened? Who or what is Conti? Could all of this have been prevented, or at the very least contained? And is it over yet? We explore the answers to these questions and more below.
Why is Costa Rica under national emergency after the Conti ransomware cyberattack?
On May 8th, on the very same day that President Rodrigo Chaves Robles took office as the newly elected president of Costa Rica, he declared a national state of emergency. The announcement followed the country’s month-long struggle with ransomware attacks that have severely crippled the economy, thus leading to Chaves’ declaration. It was estimated at the time the stagnancy of the economy was costing the country at least $38 million each day that they were down.
What is the Conti ransomware attack in Costa Rica?
On April 17th, 2022, Costa Rica became the victim of large-scale ransomware attacks initiated by Conti- a popular ransomware group. The hackers were initially targeting the country’s Ministry of Finance, which broke the news of the intrusion on Twitter on April 18th. At the time, Conti demanded a $10 million ransom, which the government declined to pay while still under Carlos Alvarado Quesada’s presidency. The Ministry of Finance was the first government body to be affected by Conti. The tax administration and customs services were rendered out-of-service, halting various digital financial services such as payments, taxpaying, services billing, and more.
After President Chaves’ public refusal to pay the ransom on May 8th, Conti proceeded to publish 97% of the data that they had been using as collateral on their website.
By May 16th, it had been confirmed that the number of institutions in Costa Rica that had been impacted had grown to twenty-seven, according to President Chaves. It was around this time that Conti doubled their ransom to $20 million, presumably feeling confident that the damage they had caused would be enough to pressure the government into bucking. The hacking group encouraged the citizens of Costa Rica to pressure their government into paying the requested amount, stating that if they failed to pay out the ransom by the 23rd of May, they would go on to delete the recovery keys, leaving the government and its people stranded.
At this point, Costa Rica reached out to the United States president Joe Biden, whose law enforcement offered a $15 million bounty to anyone who could provide useful information about Conti’s operations and identity that would lead to their tracking and dismantling.
While ransomware is driven by financial gain as the end goal, in the case of Conti, and Costa Rica as a target, the situation goes beyond Costa Rica being a victim randomly selected due to their network and infrastructure vulnerabilities. While Conti’s goal might not have been to make a political statement, their geopolitical state and association with Russia played a significant role in Costa Rica’s ransomware attack.
After their publicized support for the Russian invasion of Ukraine, Conti lost a great deal of public support. “Their anti-US and anti-West statements attracted a lot of attention all around the world, exposing their political stance and turning away the support of organizations that previously funded them.
So the amount of ransom they collected in the last few months significantly declines,” says Guy Rosefelt, Chief Product Officer at Sangfor Technologies in a webinar, “The second thing that happened is that in order to maintain a low profile, targeting large companies and nations such as the United States was no longer a good idea, so they started targeting smaller countries in Latin America because they have less security, and less of a cyber response capability.”
However, this didn’t quite lead to their redemption, so Conti saw it fit to use Costa Rica as an exit strategy. “They used the Costa Rican attack as their Swan Song. They knew they were going to have to go out soon so what they did was, after probing around Latin America, they figured out how to successfully infiltrate and attack Costa Rica.” And so, this was Conti’s finale before supposedly disbanding. The Costa Rica ransom would have been their final jackpot and saving grace had it been successful.
Of course, whether or not they achieved that goal does not mean that their operations have ceased altogether. It is well known that ransomware groups going away usually just means they’ve joined subgroups or other organizations. This would explain the “coincidental” cyber attack on Costa Rica’s public health service and social security fund- CSS in late May 2022.
The scale of this attack was just as damaging as it affected public health systems such as COVID-19 testing and tracking, and forced hospitals in the country to revert to pen and paper as a backup. HIVE is well-known for attacking global healthcare organizations, so this attack fits their modus operandi.
However, its alignment with Conti’s activities has continued to raise eyebrows, even though they denied affiliation with Conti on their website.
Costa Rica continues to suffer the effects of these attacks, and it does not look as though it will fully recover any time soon.
What is RaaS - Ransomware as a Service?
Ransomware as a Service (RaaS) refers to the use of ransomware as a business model or strategy. Groups such as Conti, function by providing ransomware services to buyers through servers.
Developers create unique ransomware codes that ransomware operators then use to infect the systems of target organizations as per the affiliate's or buyer’s request. The compensation for this service is sometimes through the profits procured using the ransomware code, or through once-off payment for the service, just as any other business operates, but many of the models used by cybercrime groups are even subscription-based coming with benefits such as forum inclusions, 24/7 support, and bundles. Read more about Expert Tips on Improving Organizational Cyber Defense to know more about securing your organization infrastructure.
Conti is of course not the first cybercrime group to do this, DarkSide, REvil are two other notorious Ransomware as a Service groups. While DarkSide has supposedly ceased to be a group, they did so following an attack in 2021 that resulted in a 6-day shutdown of Colonial Pipeline which led to public outrage and DarkSide’s announcement that they were ceasing operations. The group was said to have stolen and released more than 2TB of data and received over $90 million in just nine months.
REvil was another Russia-based RaaS provider. During their operations, it is estimated that they had received more than $200 million since they first became active in April 2019 after another RaaS group known as GrandCrab ended its operations. According to IBM, REvil was responsible for 37% of ransomware attacks in 2021, with ransomware being the number one type of cyberattack in that year. Russian security agency MOSCOW claimed that they had shut down REvil after a sweep was carried out across five Russian regions, according to the New York Times.
While the nature of ransomware attacks can be similar, groups tend to be particular about their targets. DarkSide for example, avoided attacking healthcare organizations, non-profit organizations, and schools, while HIVE has been known to target healthcare facilities. This only goes to show that no one is exempt from the potential of being a target.
Use Sangfor Products to safeguard against cyberattacks such as Conti ransomware attack in Costa Rica
Ransomware such as Conti is driven by unethical hacking professionals who have the expertise to bypass standard cybersecurity structures such as firewalls and use highly skilled methods of phishing to gain access to networks. This means that safeguarding against more complex attacks requires anti-ransomware tools and cybersecurity strategies that are equally competent, even if they are not complex, and that is what Sangfor provides.
A full-proof ransomware tool will continuously monitor your organization’s environment. Automated and continuous threat detection is quintessential for remaining guarded against attacks at all times.
Sangfor solutions integrate network monitoring with endpoint security solutions to provide a converged threat detection and response platform that runs continuously.
Sangfor XDDR (Extended Detection, Defense and Response) framework makes use of a firewall that communicates directly with endpoint security to ensure that there have not been any breaches at any point in the attack chain, and should any be detected, the response is immediate to eradicate all threats, simultaneously tracing the origins and repairing points of weakness. Vulnerability scans are sent back to our NGAF (Next Generation Application Firewall) so that the data collected is circulated at all points for full visibility across networks. Furthermore, particularly due to the rise in remote work, XDDR uncovers hidden threats both on-site and remote.
Sangfor runs continuous assessments both before and after integration to have a better view of any weaknesses in the network that create room for improvement.
Finally, while relying solely on backups is not enough, integrating security solutions with Sangfor HCI allows backups to be stored on the cloud regularly for access as needed. In today’s cloud-dominant world, it is important that your cloud (private, public, or hybrid) is secure, as it plays an integral role in the inflow and outflow of organizational data.
The convergence of our wide range of cybersecurity solutions makes for a full-coverage cybersecurity strategy, risk management, and disaster recovery plan. At Sangfor we do not believe that there is just one platform that is a solution to every cybersecurity issue, so we combine a range of sophisticated security and cloud computing solutions to create a simple, secure, and manageable system that meets business needs, drives performance and protects your business.
So, could Costa Rica have avoided the attack? Maybe not, but they certainly could have lessened the impact. “[Costa Rica] should have considered more robust cyber screening solutions earlier on,” says Guy in his webinar. You can view the recording here.
It is important to note that some cyberattacks are inevitable, but a strong recovery plan will limit your losses. Early detection and immediate response are essential to business continuity. Costa Rica is an example of what happens when organizations of all kinds, be they government or enterprises, underestimate the importance of preparedness in the context of digital crises. An investment in cybersecurity solutions is an investment in an organization’s ability to manage its assets and come back from disasters that interrupt its processes and systems.
Conti may have removed their website and gone underground, but its effects are still weighing heavily on Costa Rica.
Frequently Asked Questions
A Conti ransomware attack is an attack completed by the Conti cybercrime group, in which they use various methods to gain access to organization networks. The speed at which Conti ransomware attacks occur and spread makes them particularly dangerous as they cause exponential damage in a very short amount of time.
Conti’s most recent victims were the government of Costa Rica, however, since their discovery in 2020, they have managed several large-scale attacks on both public and private organizations. Their most notorious victims include multinational electronics company JVCKenwood, which was asked for a ransom of $7 million. Ireland’s HSE (Health Service Executive) responsible for the provision of health services, suffered a massive attack that resulted in them having to shut down their IT systems. This was done in an attempt to halt the spread after Conti requested a $20 million ransom from them which they refused to pay. The shutdown caused disruptions in hospitals and health services all across the country but was done as a measure to allow the organization to assess the situation with their security partners. Unfortunately, the damages sustained amounted to over $100 million, with the cost of recovery potentially totaling over $600 million, according to HSE’s director general Paul Reid. These two incidents do not scratch the surface of the number of victims the group has had risen beyond 1000 this year with payouts from successful attacks exceeding $150 million. In May 2021, the United States law enforcement warned that Conti had attempted to breach the networks of several US healthcare and first responders organizations.
Costa Rica was deeply affected by the Conti ransomware cyberattack in several ways. What was initially just an attack on the Ministry of Finance, affecting up to twenty-seven institutions and hundreds of services across the country.
Costa Rica declared a national emergency after the Conti ransomware attacks due to the gravity of the attacks on the country, which were said to be costing the country $38 million per day.
While the exact employee/member identities are still unknown, Conti has been linked to the Russian cybercrime group, Wizard Spider. It is also believed that Conti has been sanctioned by the Russian government. On different occasions, Conti made their patriotism toward and in association with the Russian public, going as far as only permitting Russians/Russian-speaking individuals to be members. The people behind Conti are therefore known to be Russian hackers and IT professionals. A leak of Conti’s information by Ukrainian researchers revealed numerous pseudonyms by which various Conti members/employees of different hierarchies go by, but their true identity remains anonymous.
Conti commonly uses phishing attacks to gain access to servers, and infect them by the installation of the Trickbot and BazarLoader Trojans. The trojans then allow them to further infiltrate the infected systems. Phishing emails sent out by Conti claim and usually appear to have come from trusted sources, and direct the recipients to links containing maliciously loaded documents. After accessing personal servers, Conti encrypts every file it is able to gain access to enormous amounts of data. Once this has been achieved, Conti uses this as collateral to demand ransoms from the unfortunate victims of the attack. Another method used by Conti to gain access is the assessment for vulnerabilities that can be exploited in existing security such as firewalls. Conti’s strength also lies in its continuous refinement with time, having developed methods to destroy backups, such as the popular Veeam recovery software.