IT Tips & Tricks

Published 31 May 2022

Ransomware Attack Cripples Costa Rica

AdobeStock_499493224-Banner

If you live on planet Earth, you’re no stranger to malware or ransomware and the current escalation of attacks since Putin started the war against Ukraine. Recently, however, and perhaps for the first time in history, a nation was hit so hard in a cyberattack that its president was forced to declare a state of emergency. This is what happened in Costa Rica and a shockwave of fear has rippled across the world to other small countries, now fearful for the future.

Ransomware typically involves a demand for money (usually in some form of cryptocurrency) in exchange for resumed access to the ransomed data. But in the recent attack on Costa Rica, the demand for $20 million was accompanied by an unprecedented additional demand: the overthrow of the government.

New President on the Block

On his first day in office, the newly elected Costa Rican president, Rodrigo Chaves, declared that his country was “at war” with the Russian-based Conti ransomware gang and declared a state of emergency.

“We’re at war and this is not an exaggeration,” Chaves informed local media. The attack on the Costa Rican government began in April 2022. First, the Finance Ministry was hit, and by 16 May, Chaves said the number of institutions impacted, including the treasury, labor ministry, tax administration, social security fund, municipalities, and state-run utilities, had reached 27. Not only did this mean that civil servants could not be paid on time, but Costa Rica’s foreign trade was also impacted since tax and customs systems have been affected. “The war is against an international terrorist group, which apparently has operatives in Costa Rica. There are very clear indications that people inside the country are collaborating with Conti,” Chaves continued.

Perhaps for the first time in history, a nation was hit so hard in a cyberattack that its president was forced to declare a state of emergency.

While some believe the attack is in retaliation for Costa Rica’s support of Ukraine, most experts agree that it’s fundamentally about money. Maya Horowitz, the vice president of research at Check Point Software, says that based on their research, Conti’s extortion planning is generally “very focused and based on the ability of the victim to pay.” She also said that research suggests that the financial impact of a ransomware attack could be “seven times higher than the initial extortion demand, but we assume in the case of a wide attack on a government like we see here, the total costs could be considerably more.”

While Chaves blames his predecessor, former president Carlos Alvarado, for inadequate investment in cybersecurity, Jorge Mora, Costa Rica’s director of digital governance, says that four million hacking attempts have been blocked by “protection systems” installed across institutions.

But Why Costa Rica?

While Costa Rica may be best known for exports of coffee, pineapples and bananas, it is initially puzzling that a small Central American nation would be targeted. Perhaps hackers anticipate fewer roadblocks in smaller countries with less budget for cybersecurity, but it’s just as likely that Costa Rica was simply unlucky rather than targeted due to perceived weakness. In fact, Jamie Boote, a software security consultant at Synopsys Software Integrity Group, believes, “If one in one hundred targets becomes a victim that can pay out millions in ransom, then it pays to target hundreds.”

Brett Callow, ransomware and threat analysis expert at Emsisoft, believes that Costa Rica may have been targeted because US and European law enforcement have had increased success in disrupting ransomware attacks, making smaller countries easier targets. “They may not make as much money off attacks in countries like Costa Rica or Peru, but they’re not going to end up with a multimillion-dollar bounty on their heads or with US Cyber Command in their servers,” he said. “Less gain, less risk. Or, at least, that’s what they may believe.”

A Costa Rican Trojan Pony?

Claims of an “inside job” have come from both President Chaves and the hackers themselves. The hacker group claimed it has insiders in the Costa Rican government, which echoed Chaves’ statement regarding local collaborative efforts with Conti.

However, Louise Ferrett, threat analyst from Searchlight Security, says, “It is a known tactic for ransomware gangs to make exaggerated and outlandish threats in order to instill a sense of urgency in the victim and obtain a ransom payment.”

In a public announcement, the ransomware gang stated, “We are determined to overthrow the government by means of a cyberattack; we have already shown you all the strength and power. We have our insiders in your government. We are also working on gaining access to your other systems; you have no other options but to pay us.” This threat was accompanied by a demand for an increase of the original ransom from $10 million to $20 million.

Who or What is Conti?

The attack on Costa Rica has been claimed by a Conti affiliate dubbed “UNCI1756,” the designation that threat intelligence firms assign to uncategorized threat groups.

The demand for $20 million was accompanied by an unprecedented additional demand: the overthrow of the government.

Conti, responsible for at least 50 cyberattacks in the month of April alone and often considered one of the world’s most-wanted cybercriminal gangs, has been around since 2020 and is believed to be affiliated with a Russia-based group known as Wizard Spider. All versions of Microsoft Windows are known to be affected by Conti.

To date, the ransomware group has already posted over 600 gigabytes of Costa Rican government data online and is threatening to publish more. In January and February of 2022, the Conti cartel published data from 31 victims on their leaks blog. In March and April, they posted data from 133 victims. The escalation is real.

AdobeStock_676047152

Hackers don’t want US Cyber Command poking around in their servers.

President Chaves has given no indication as to whether the ransom demand will be met, but the Conti group has threatened to destroy the decryption keys needed to restore the Costa Rican government’s computer systems if payment is not received.

In May 2022, the US State Department offered a reward of up to $15 million for information on the group: $10 million for the identity or location of its leaders, and $5 million for information leading to the arrest of anyone conspiring with the group.

The UK’s National Health Service was infamously hacked in 2017 in the WannaCry attack — also a Windows vulnerability — which brought the national health service to a standstill and cost the UK £92 million. According to NHS Digital, the only guaranteed means of recovery is to restore all affected files from their most recent backup.

We’ve written about the urgent need for regular backup in several articles recently, Cloud Security and The Email From Hell, New Alert: 16 Smart Steps for Increased Cybersecurity, and How to Protect Your IT Fortress in the Wake of War, amongst others, all available here.

Cybersecurity on Steroids

Any way you look at it, ransomware is an expensive and constant threat, and protecting your data should be your number one priority. Even if you think you’re already covered, it can’t hurt to take additional steps to strengthen security even further. The Cybersecurity & Infrastructure Security Agency is an excellent resource with tips for beefing up your security.

If you’re planning on migrating to the Cloud, ensure that your Cloud vendor can fulfill your security needs. Additionally, to help make your migration smoother and eliminate one of the most common causes of post-migration data loss, consider LinkFixer Advanced to protect your links before a migration, or repair your broken links after a migration.

Even if you think you’re already covered, it can’t hurt to take additional steps to strengthen security.

Visit LinkTek.com for more information or a free trial or call 727-442-1822 to speak to a friendly Service Consultant about a live demo. Don’t forget to ask them about the third way LinkFixer Advanced can help you.

When it comes to protecting your data, we wish you the best of luck, or, as they say in Costa Rica, buena suerte!

Feel free to share this article on your social media: