![](\"https:\/\/media.wired.com\/photos\/62a3bbfee1a7c9ca5f0da113\/master\/pass\/Conti-Ransomware-Costa-Rica-GettyImages-512138283.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Matt Burgess| Date: Sun, 12 Jun 2022 11:00:00 +0000<\/strong><\/p>\n Matt Burgess<\/a><\/span><\/span><\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n To revist this article, visit My Profile, then View saved stories<\/a>.<\/p>\n For the last<\/span> two months, Costa Rica has been under siege. Two major ransomware<\/a> attacks have crippled many of the country\u2019s essential services, plunging the government into chaos as it scrambles to respond. Officials say that international trade ground to a halt as the ransomware took hold and more than 30,000 medical appointments have been rescheduled, while tax payments have also been disrupted. Millions have been lost due to the attacks, and staff at affected organizations have turned to pen and paper to get things done.<\/p>\n Costa Rica\u2019s government, which changed midway through the attacks after elections earlier this year, has declared a \u201cnational emergency\u201d in response to the ransomware\u2014marking the first time a country has done so in response to a cyberattack. Twenty-seven government bodies were targeted in the first attacks, which ran from mid-April until the start of May, according to new president Rodrigo Chaves. The second attack, at the end of May, has sent Costa Rica\u2019s health care system into a spiral. Chaves has declared \u201cwar\u201d on those responsible.<\/p>\n At the heart of the hacking spree is Conti<\/a>, the notorious Russia-linked ransomware gang. Conti claimed responsibility for the first attack against Costa Rica\u2019s government and is believed to have some links to the ransomware-as-a-service operation HIVE, which was responsible for the second attack impacting the health care system. Last year, Conti extorted more than $180 million<\/a> from its victims, and it has a history of targeting health care organizations<\/a>. However, in February thousands of the group\u2019s internal messages and files were published online<\/a> after it backed Russia\u2019s war against Ukraine.<\/p>\n Even among Conti\u2019s long rap sheet of more than 1,000 ransomware attacks<\/a>, those against Costa Rica stand out. They mark one of the first times a ransomware group has explicitly targeted a nation\u2019s government, and during the process Conti uncharacteristically called for the Costa Rican government to be overthrown. \u201cThis is possibly the most significant ransomware to date,\u201d says Emsisoft threat analyst Brett Callow. \u201cI can\u2019t recall another occasion when an entire federal government has been held to ransom like this\u2014it\u2019s a first; it\u2019s quite unprecedented.\u201d<\/p>\n What\u2019s more, researchers suggest that Conti\u2019s brazen actions may just be callous showboating, enacted to draw attention to the group as it winds down its toxic brand name and its members move on to other ransomware efforts.<\/p>\n The first ransomware attack against Costa Rica\u2019s government started during the week of April 10. Throughout the week, Conti probed the systems of the Ministry of Finance, known as Ministerio de Hacienda, explains Jorge Mora, a former director of the Ministry of Science, Innovation, Technology and Telecommunications (MICIT) who helped lead the response to the attacks. By the early hours of April 18, files within the finance ministry had been encrypted and two key systems had been crippled: the digital tax service and the IT system for customs control.<\/p>\n \u201cThey affect all the export\/import services in the country of the products,\u201d says Mora, who left the government on May 7 ahead of the administration change. Mario Robles, the CEO and founder of Costa Rican cybersecurity company White Jaguars, estimates that \u201cseveral terabytes\u201d of data and more than 800 servers at the finance ministry have been impacted. Robles says his company has been involved in the response to the attacks but says he cannot name who it has worked with. (The finance ministry did not respond to WIRED\u2019s request for comment.)<\/p>\n \u201cThe private sector was very affected,\u201d Mora says. Local reports say import and export businesses faced shipping container shortages<\/a> and estimated losses range from $38 million per day<\/a> up to $125 million over 48 hours.<\/a> \u201cThe disruption paralyzed the imports and exports of the country, making a big impact on the commerce,\u201d says Joey Milgram, a country manager for Costa Rica at cybersecurity company Soluciones Seguras. \u201cThey implemented, after 10 days, a manual form to import, but it was taking much paperwork and many days to process,\u201d Milgram adds.<\/p>\n But the attack against the finance ministry was just the beginning. A timeline shared by Mora claims Conti attempted to breach different government organizations almost every day between April 18 and May 2. Local authorities, such as the Municipality of Buenos Aires, were targeted, as well as central government organizations, including the Ministry of Labor and Social Security<\/a>. In some cases, Conti was successful; in others, it failed. Mora says the US, Spain, and private companies helped defend against Conti attacks, providing software and indicators of compromises related to the group. \u201cThat blocked Conti a lot,\u201d he says. (In early May, the US posted a $10 million<\/a> reward for information about Conti\u2019s leadership.)<\/p>\n On May 8, Chaves started his four-year term as president and immediately declared a \u201cnational emergency\u201d due to the ransomware attacks, calling the attackers \u201ccyberterrorists.\u201d Nine of the 27 targeted bodies were \u201cvery affected,\u201d Chaves said on May 16. The MICIT, which is overseeing the response to the attacks, did not respond to questions about the progress of the recovery, despite originally offering to set up an interview.<\/p>\n \u201cAll the national institutions, they don\u2019t have enough resources,\u201d Robles says. During the recovery, he says, he has seen organizations running on legacy software, making it much harder to enable the services they provide. Some bodies, Robles says, \u201cdon\u2019t even have a person working on cybersecurity.\u201d Mora adds that the attacks show Latin American countries need to improve their cybersecurity resilience, introduce laws to make cyberattack reporting mandatory, and allocate more resources to protect public institutions.<\/p>\n But just as Costa Rica started getting a grip on the Conti attacks, another hammer blow struck. On May 31, the second attack started. The systems of the Costa Rican Social Security Fund (CCSS), which organizes health care, were taken offline, plunging the country into a new kind of disarray. This time the HIVE ransomware, which has some links to Conti<\/a>, was blamed.<\/a><\/p>\n The attack had an immediate effect on people\u2019s lives. Health care systems went offline and printers spewed out garbage, as first reported by security journalist Brian Krebs<\/a>. Since then patients have complained of delays in getting treatment and the CCSS has warned parents whose children were undergoing surgery that they may have trouble locating their kids<\/a>. The health service has also begun printing discontinued paper forms<\/a>.<\/p>\n By June 3, CCSS had declared<\/a> an \u201cinstitutional emergency,\u201d with local reports claiming that 759 of the 1,500<\/a> servers and 10,400 computers have been impacted. A spokesperson for CCSS says hospital and emergency services are now running normally and the efforts of its staff have maintained care. However, those seeking medical care have faced significant disruptions: 34,677 appointments have been rescheduled, as of June 6. (The figure is 7 percent of total appointments; the CCSS says 484,215 appointments have gone ahead.) Medical imaging, pharmacies, testing laboratories, and operating theaters are all facing some disruption.<\/p>\n There are questions about whether the two separate ransomware attacks against Costa Rica are linked. However, they come as the face of ransomware may be changing. In recent weeks, Russian-linked ransomware gangs have changed their tactics to avoid US sanctions<\/a> and are fighting over their territory more than usual<\/a>.<\/p>\n Conti first announced its attack on the finance ministry on its blog, where it publishes the names of its victims and, if they fail to pay its ransom, the files it has stolen from them. A person or group dubbing themselves unc1756\u2014the \u201cUNC\u201d abbreviation is used by some security firms to indicate \u201cuncategorized\u201d attackers<\/a>\u2014used the blog to claim responsibility for the attack. The attacker demanded $10 million as a ransom payment, later upping the figure to $20 million. When no payment was made, they started uploading 672 GB of files to Conti\u2019s website.<\/p>\n However, Conti\u2019s behavior was more erratic and disturbing than usual\u2014the attacker moved into politics. \u201cI appeal to every resident of Costa Rica, go to your government and organize rallies,\u201d one post on Conti\u2019s blog said<\/a>. \u201cWe are determined to overthrow the government by means of a cyber attack,\u201d said another post addressed to Costa Rica and \u201cUS terrorists (Biden and his administration).\u201d<\/p>\n \u201cI think I never saw cyber criminals using, publicly at least, such rhetoric against any government,\u201d says Sergey Shykevich, Threat Intelligence group manager at security firm Check Point, who also notes that Conti targeted Peru\u2019s finance ministry and intelligence agency<\/a> around the same time as the Costa Rica attacks. Shykevich says Conti\u2019s behavior was criticized on Russian-language hacking forums, as getting into politics would draw more attention to cybercrime groups.<\/p>\n Some believe Conti\u2019s attack against Costa Rica may have been designed as a distraction. On May 19, US-based cybersecurity firm AdvIntel declared Conti\u2019s operations dead<\/a>, saying the group had started dismantling its brand\u2014but not its overall organizational structure\u2014in early May. Citing visibility inside the gang, AdvIntel said the administration panel of Conti\u2019s news website has been shut down. \u201cThe negotiations service site was also down, while the rest of the infrastructure, from chatrooms to messengers, and from servers to proxy hosts, was going through a massive reset,\u201d AdvIntel said in a briefing<\/a>.<\/p>\n Since Conti expressed its support for Vladimir Putin\u2019s war in Ukraine and threatened to hack anyone who targeted Russia, the group has struggled to make money. \u201cIt is now considerably harder for them to extract payments from US victims,\u201d Callow says. \u201cSeveral negotiation firms will no longer transact with them for fear of breaking OFAC sanctions<\/a>, and some companies won\u2019t necessarily want to deal with them because they don\u2019t want to be seen to be potentially sponsoring terrorism.\u201d ADVIntel goes further, saying Conti couldn\u2019t \u201csufficiently support and obtain extortion,\u201d prompting the group to lash out.<\/p>\n Several weeks later, AdvIntel CEO Vitali Kremez says Conti\u2019s services are still offline. The Costa Rica attack, at least in the eyes of AdVIntel, was meant to give Conti cover while it continued to rebrand itself and start using different types of ransomware. Despite this, Conti\u2019s last reckless public act may leave a legacy. While cybercriminals may not choose to routinely attack national governments, a new precedent has been set. \u201cConti put their stamp on a new era in ransomware,\u201d Check Point\u2019s Shykevich says. \u201cThey proved and showed that a cybercrime group can do country extortion.\u201d<\/p>\n