In late April, after weeks of major ransomware attacks, Costa Rica declared a state of emergency. Newly-elected President Rodrigo Chaves took this measure, usually reserved to deal with natural disasters, to free up the government to react more decisively to the incident. The Russian-based Conti gang has claimed they launched the attack.

Meanwhile, the U.S. Department of State offered a $10 million reward for information that leads to finding anyone holding a key leadership role in the Conti gang. The U.S. also offered $5 million for “information leading to the arrest and/or conviction of any individual in any country conspiring to participate in or attempting to participate in a Conti variant ransomware incident.”

At War With the Conti Gang

Chaves declared that his country was “at war” with the attackers. This may not be too far off. Reportedly, in a message posted to its darknet blog, Conti urged Costa Ricans to pressure their government to pay a $20 million ransom. In another post, Conti warned: “We are determined to overthrow the government by means of a cyberattack, we have already shown you all the strength and power.”

Beyond the digital attack, old-fashioned spying may also be at play. Chaves stated that actors within the country had also worked with Conti in the attack.

No Ransom Paid

The Costa Rica government refused to pay the ransom and has scrambled to get systems and services back online. The Costa Rican Treasury told civil servants that the attack had halted automatic payment services. Workers were warned the government was unable to pay them on time. Instead, they would need to apply for their salaries by email, or by hand on paper. The attack also affected the country’s foreign trade. It disrupted its tax and customs systems, which led to import and export logistics collapse.

Download the Definitive Guide to Ransomware

Why Costa Rica?

Many people have speculated about why the attackers targeted Costa Rica. Some believe it was due to the country siding with Ukraine in its war with Russia, said Security Week. Others think the motives are purely financial or related to Costa Rica’s recent presidential election. Meanwhile, other smaller countries worry that this could be the start of a trend.

Rather than target large nations, threat actors may begin to attack smaller countries. This may occur since small countries may not have as many resources to thwart an attack. Also, their capacity to retaliate may be limited compared to larger countries such as the United States or European nations.

Ransomware Damage Done

Ransomware analyst Brett Callow said he looked at some of the leaked files from the Costa Rican finance ministry and “there doesn’t seem to be much doubt that the data is legit.”

Conti’s extortion site indicated it had published 50% of the stolen Costa Rican government data,  including 850 gigabytes of material from the Finance Ministry and other institutions’ databases.

Learn About Malware Prevention

If you have questions and want a deeper discussion about the malware and prevention techniques, you can schedule a briefing here. Get the latest updates as more information develops on the IBM Security X-Force Exchange and the IBM PSIRT blog. If you are experiencing cybersecurity issues or an incident, contact X-Force to help: U.S. hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034. More cybersecurity threat resources are available here.

More from News

Ransomware-as-a-Service Transforms Gangs Into Businesses

Malware-as-a-Service is getting easier and easier to access, according to a recent threat report. Self-named the ‘Eternity Project’, this cyber threat group offers services from a Tor website and on their Telegram channel. They sell a wide variety of malware in an organized fashion, including stealer, clipper, worm, miner, ransomware and distributed-denial-of-service bot services. This alarms many security professionals. With Eternity, even inexperienced cyber criminals can target victims with a customized threat offering. Eternity sells malware for $90 to $490.…

UK Health System Email Accounts Hijacked to Steal Microsoft Logins

Last summer, I noticed password reset notices in my email account that I didn’t send. I quickly realized that I was the victim of an account takeover. This happens when someone illegally gains access to your account, typically through compromised credentials. I changed my email password right away and learned that my passwords to other accounts had already been changed. To make cleanup even more fun, I found out that the attackers had created new accounts using my credentials. Account…

LemonDuck Cryptojacking Botnet Targets API Security Gap

A recent report reveals the well-known crypto mining botnet LemonDuck can target Docker to secretly mine cryptocurrency on the Linux platform. LemonDuck targets Microsoft Exchange servers to mine crypto, escalate privileges and move sideways in compromised networks. It takes advantage of Docker, a mainstream platform used for building, running and managing containerized workloads. Since Docker runs container workloads in the cloud, a misconfigured cloud instance can expose a Docker API to the internet. Attackers can then exploit this API to…

CISA: Industrial Attacks Could Remotely Control Devices

A joint federal Cybersecurity Advisory warns that certain advanced persistent threat actors can obtain full access to the industrial control system (ICS) and data acquisition (SCADA) devices. These systems, found in nearly every industrial sector, can then fall prey to remote control and other cyberattacks. Read on to find out which systems are at risk and how to protect them. At-Risk Industrial Systems Industrial control systems include the devices, systems, networks and controls used to operate or automate industrial processes.…