Fears grow for smaller countries after ransomware attack on Costa Rica escalates businesstraverse.com

It’s been tough start for newly elected Costa Rican President Rodrigo Chaves, who declared his country “at war” with the Conti ransomware gang less than a week after taking office.

“We are at war and this is no exaggeration,” Chaves told local media† “The war is against an international terrorist group, which apparently has agents in Costa Rica. There are very clear indications that people in the country are working with Conti.”

Conti’s attack on the Costa Rican government began in April. The country’s finance ministry was the first hit by the Russia-affiliated hacking group, and in a statement on May 16, Chaves said the number of institutions affected had grown to 27 since then. This means, he admitted, officials would not be paid on time and affect the country’s foreign trade.

In a post on his dark web leak blog, Conti urged the citizens of Costa Rica to pressure their government into paying the ransom, which the group doubled from an initial $10 million to $20 million. In a separate statement, the group warned: “We are determined to overthrow the government through a cyber attack, we have already shown you all the strength and power.”

Conti is one of the most prolific hacking groups. The FBI warned earlier this year that the gang was among “the top three variants” targeting companies in the United States, and is accused of ransomware attacks on dozens of companies, including Fat Face, Shutterfly and the Irish healthcare system.

But Conti has picked up the pace in recent months, posting 31 victims on its leak blog in January and February. In March and April it made 133 casualties.

Why Costa Rica?

Some believe Conti’s campaign against Costa Rica is motivated to side with Ukraine. Experts say that all signs point to money.

Brett Callow, a ransomware expert and threat analysis at Emsisoft, told businesstraverse.com that “there is no reason to believe that the attack on Costa Rica is anything but financially motivated.” And Maya Horowitz, the vice president of research at Check Point Software, said based on their research that Conti’s extortion planning “is highly targeted and based on the victim’s ability to pay.”

Chaves has repeatedly blamed the attack on his predecessor, former President Carlos Alvarado, for not investing in cybersecurity. While it’s unclear exactly what measures the country has taken to protect against cyber-attacks, said Jorge Mora, the country’s director of digital governance said recently that four million hacking attempts were recently blocked thanks to “security systems” installed in institutions.

But it’s more likely that Costa Rica was just unlucky and targeted as part of a wider operation than because of any perceived weakness.

“Situations like these reflect the asymmetric reality of attack and defense, where attackers only have to get lucky once,” Jamie Boote, a software security consultant with the Synopsys Software Integrity Group, told businesstraverse.com. “If one in a hundred targets becomes a victim who can pay millions in ransom, then targeting hundreds of targets pays off.”

Callow adds that it’s also possible Conti targeted Costa Rica because of the increased success US and European law enforcement have seen in disrupting their operations.

“They may not make as much money from attacks in countries like Costa Rica and Peru, but they won’t end up with a multi-million dollar bounty on their heads or US Cyber ​​Command on their servers,” Callow says. “Less profit, less risk. Or at least, that’s what they are allowed to believe.”

An action from within?

In a post posted to his dark web blog this weekend, Conti claimed it had “insiders in” [the Costa Rican] government,” which could somewhat explain why the country became a target, or why the attack had such a devastating impact. This claim was echoed earlier this week by President Chaves, who said, “There is very clear evidence that people in the country are collaborating with Conti.”

However, security experts tell businesstraverse.com that Conti’s claims should be treated with a good dose of skepticism.

“Dark web records reveal that a user with this nickname has only been active on a popular cybercrime forum since March 2022—about a month before the attacks on Costa Rica began,” Louise Ferrett, Searchlight Security threat analyst, told businesstraverse.com. “So, while it’s possible Conti bribed or socially manipulated insiders within the country’s government, it seems unlikely they would have amassed so much influence so quickly.”

“It is a well-known tactic of ransomware gangs to make exaggerated and outlandish threats to give the victim a sense of urgency and get ransom,” Ferrett said.

What – or who – is next?

“The success of these attacks should concern smaller governments around the world,” Allan Liska, an intelligence analyst at Recorded Future, told businesstraverse.com. He added:

While many ransomware groups won’t hit national governments, others, like Conti, feel they are untouchable and will go after any victim they want, assuming there will be no repercussions. This is a growing problem and governments need to take strong action against ransomware actors. These are non-state groups that essentially engage in nation-state-style attacks and there should be appropriate repercussions for these actions.

This is a view shared by Callow, who tells businesstraverse.com that we can expect organizations in countries outside the US to receive more attention from ransomware gangs, especially in low-income countries where cybersecurity spending is lower. “The US public and private sectors are vulnerable to cyber-attacks and may be even more vulnerable in other countries,” he said.

Conti’s attack on Costa Rica is underway. In a message on fridayConti said it will remove the encryption keys used to lock down Costa Rica’s government systems on May 23. At the time of writing, the government of Costa Rica has refused to give in to Conti’s ransom demand.

But we are already see the emergence of similar attacks on smaller nation states. The Greenland government confirmed this week that the island’s hospital system was “seriously” hit by a cyber attack, which has prevented hospital workers from accessing patients’ medical records.