In late April, after weeks of major ransomware attacks, Costa Rica declared a state of emergency. Newly-elected President Rodrigo Chaves took this measure, usually reserved to deal with natural disasters, to free up the government to react more decisively to the incident. The Russian-based Conti gang has claimed they launched the attack.

Meanwhile, the U.S. Department of State offered a $10 million reward for information that leads to finding anyone holding a key leadership role in the Conti gang. The U.S. also offered $5 million for “information leading to the arrest and/or conviction of any individual in any country conspiring to participate in or attempting to participate in a Conti variant ransomware incident.”

At war with the Conti gang

Chaves declared that his country was “at war” with the attackers. This may not be too far off. Reportedly, in a message posted to its darknet blog, Conti urged Costa Ricans to pressure their government to pay a $20 million ransom. In another post, Conti warned: “We are determined to overthrow the government by means of a cyberattack, we have already shown you all the strength and power.”

Beyond the digital attack, old-fashioned spying may also be at play. Chaves stated that actors within the country had also worked with Conti in the attack.

No ransom paid

The Costa Rica government refused to pay the ransom and has scrambled to get systems and services back online. The Costa Rican Treasury told civil servants that the attack had halted automatic payment services. Workers were warned the government was unable to pay them on time. Instead, they would need to apply for their salaries by email, or by hand on paper. The attack also affected the country’s foreign trade. It disrupted its tax and customs systems, which led to import and export logistics collapse.

Download the Definitive Guide to Ransomware

Why Costa Rica?

Many people have speculated about why the attackers targeted Costa Rica. Some believe it was due to the country siding with Ukraine in its war with Russia, said Security Week. Others think the motives are purely financial or related to Costa Rica’s recent presidential election. Meanwhile, other smaller countries worry that this could be the start of a trend.

Rather than target large nations, threat actors may begin to attack smaller countries. This may occur since small countries may not have as many resources to thwart an attack. Also, their capacity to retaliate may be limited compared to larger countries such as the United States or European nations.

Ransomware damage done

Ransomware analyst Brett Callow said he looked at some of the leaked files from the Costa Rican finance ministry and “there doesn’t seem to be much doubt that the data is legit.”

Conti’s extortion site indicated it had published 50% of the stolen Costa Rican government data,  including 850 gigabytes of material from the Finance Ministry and other institutions’ databases.

Learn about malware prevention

If you have questions and want a deeper discussion about the malware and prevention techniques, you can schedule a briefing here. Get the latest updates as more information develops on the IBM Security X-Force Exchange and the IBM PSIRT blog. If you are experiencing cybersecurity issues or an incident, contact X-Force to help: U.S. hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034. More cybersecurity threat resources are available here.