What’s going on with Costa Rica’s ‘war’ with the Conti ransomware group?

24 May 2022

Image: © railwayfx/Stock.adobe.com

What do we know about the Conti ransomware group? Could it overthrow a government? Here is what you need to know about the cyberattacks in Costa Rica.

Costa Rica has been dealing with a growing ransomware assault since mid-April this year after being targeted by the notorious Conti hacking group.

The severity of the attack has intensified in recent weeks and severely impacted the country’s foreign trade by disrupting its customs and taxes platforms. Costa Rica declared a state of national emergency on 8 May as a result.

Less than a week after coming into office, the country’s president Rodrigo Chaves told local media on 16 May that Costa Rica is “at war” with the Conti group “and that is not an exaggeration”.

How severe is the attack?

Chaves said that 27 government institutions have now been impacted as a result of the cyberattack, with nine being significantly affected.

It has impacted the ability of Costa Rica’s treasury department to pay staff, the BBC reports. The treasury warned civil servants that they would not be paid on time and would have to apply by email, on paper or by hand to receive their salaries.

The criminal group behind the Conti ransomware was initially demanding a $10m ransom for the attacks to cease, but has since raised the price to $20m.

Conti is known as ‘double-extortion’ ransomware, meaning that as well as holding access to systems to ransom, the malware might also steal information stored on the system. Hackers can then threaten to release this private information online if a payment is not made.

The Conti group has already posted more than 600GB of Costa Rican government data online and has threatened to release more if the ransom is not met.

In a dark web blog, the Conti group urged Costa Rica’s citizens to pressure their government to pay the ransom. The group also warned that it is “determined to overthrow the government by means of a cyberattack”, TechCrunch reports.

Could Conti overthrow a government?

One of the biggest issues Costa Rica is facing right now is Conti’s threat that it will delete the decryption keys needed to restore the government’s systems unless the group is paid.

If this happens, it is unclear how long it would take for Costa Rica to restore the government services that have been disrupted.

CEO of cybersecurity platform Defence.com Oliver Pinson-Roxburgh said Conti’s attack is a “stark warning” of the real-world, widespread damage that can be caused by cyberattacks.

“Successful breaches have the potential to spiral and cause far-reaching disruption,” Pinson-Roxburgh added. “Conti has been able to inflict damage to everything from Costa Rica’s health services through to impeding the flow of foreign trade.”

Chaves has hinted at the risk of a government collapse and said there are “clear indications” that people within Costa Rica are collaborating with the criminal group.

The CTO of cybersecurity start-up Redacted, Matt Georgy, said the group’s threat of overthrowing a government takes the risk of ransomware to a new level.

“No longer are ransomware actors threatening victims purely for financial gain, they’re now threatening the sovereignty of governments and overruling the free will of that government’s citizenry,” Georgy said.

What do we know about the Conti group?

First observed in 2020, the Conti ransomware has been linked to a group believed to be based near St Petersburg, Russia. It has been responsible for hundreds of cyberattacks in the past two years.

In May 2021, the Conti group was behind the HSE ransomware incident that saw more than 80pc of the IT infrastructure of healthcare services across Ireland impacted in what was said to be the most serious cyberattack ever to hit the State’s critical infrastructure.

Even though Ireland did not pay the group a ransom, the hackers behind Conti made money elsewhere. The FBI estimates that as of January 2022, there had been more than 1,000 victims of attacks associated with Conti ransomware, with victim payouts exceeding $150m.

The US Department of State announced earlier this month that it is offering up to $15m as a reward for information on the Conti group.

This includes a $10m reward for any info that leads to the identification or location of individuals holding key leadership positions, as well as a $5m reward for any info leading to the arrest of anyone conspiring or attempting to participate in a Conti attack.

Why not pay the ransom?

Paying ransoms for cyberattacks is not generally advised.

“By doing so, you risk funding other illicit activity, not to mention there is no guarantee your files will be recovered,” Pinson-Roxburgh said. “The key is transparency, reporting the incident and taking swift action to limit the damage.”

As some victims of ransomware have shelled out big sums to attackers, this has become big business and has led to more attacks.

In the case of last year’s Colonial Pipeline cyberattack, it was reported that the payment of a $5m ransom only exasperated the problem.

To date, Costa Rica’s government has not given any indication that it will give in to the ransom demands.

What can be done to guard against these kinds of attacks?

In response to the Costa Rica cyberattacks, some cybersecurity experts have said an identity-first approach is crucial to create a solid foundation for the security of public infrastructure.

David Mahdi, chief strategy officer of digital cert provider Sectigo, said combining identity-first principles with least-privilege data access security is key for mitigating threats, as it ensures users or bots that fail to meet the right parameters will be instantly blocked and reported.

“Focusing on identity and access privileges drastically mitigates the damage that ransomware attacks can have on governmental institutions in the long run.”

Sam Linford, VP of EMEA channels at cybersecurity firm Deep Instinct, said ransomware groups targeting critical organisations should be seen as a “learning curve” for every country and enterprise globally.

He added that it is important to focus on preventative solutions rather than reactive ones, to ensure attacks are stopped before they can damage a network.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic