November 16, 2022 By Jonathan Reed 2 min read

In late April, after weeks of major ransomware attacks, Costa Rica declared a state of emergency. Newly-elected President Rodrigo Chaves took this measure, usually reserved to deal with natural disasters, to free up the government to react more decisively to the incident. The Russian-based Conti gang has claimed they launched the attack.

Meanwhile, the U.S. Department of State offered a $10 million reward for information that leads to finding anyone holding a key leadership role in the Conti gang. The U.S. also offered $5 million for “information leading to the arrest and/or conviction of any individual in any country conspiring to participate in or attempting to participate in a Conti variant ransomware incident.”

At war with the Conti gang

Chaves declared that his country was “at war” with the attackers. This may not be too far off. Reportedly, in a message posted to its darknet blog, Conti urged Costa Ricans to pressure their government to pay a $20 million ransom. In another post, Conti warned: “We are determined to overthrow the government by means of a cyberattack, we have already shown you all the strength and power.”

Beyond the digital attack, old-fashioned spying may also be at play. Chaves stated that actors within the country had also worked with Conti in the attack.

No ransom paid

The Costa Rica government refused to pay the ransom and has scrambled to get systems and services back online. The Costa Rican Treasury told civil servants that the attack had halted automatic payment services. Workers were warned the government was unable to pay them on time. Instead, they would need to apply for their salaries by email, or by hand on paper. The attack also affected the country’s foreign trade. It disrupted its tax and customs systems, which led to import and export logistics collapse.

Download the Definitive Guide to Ransomware

Why Costa Rica?

Many people have speculated about why the attackers targeted Costa Rica. Some believe it was due to the country siding with Ukraine in its war with Russia, said Security Week. Others think the motives are purely financial or related to Costa Rica’s recent presidential election. Meanwhile, other smaller countries worry that this could be the start of a trend.

Rather than target large nations, threat actors may begin to attack smaller countries. This may occur since small countries may not have as many resources to thwart an attack. Also, their capacity to retaliate may be limited compared to larger countries such as the United States or European nations.

Ransomware damage done

Ransomware analyst Brett Callow said he looked at some of the leaked files from the Costa Rican finance ministry and “there doesn’t seem to be much doubt that the data is legit.”

Conti’s extortion site indicated it had published 50% of the stolen Costa Rican government data,  including 850 gigabytes of material from the Finance Ministry and other institutions’ databases.

Learn about malware prevention

If you have questions and want a deeper discussion about the malware and prevention techniques, you can schedule a briefing here. Get the latest updates as more information develops on the IBM Security X-Force Exchange and the IBM PSIRT blog. If you are experiencing cybersecurity issues or an incident, contact X-Force to help: U.S. hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034. More cybersecurity threat resources are available here.

More from News

Can memory-safe programming languages kill 70% of security bugs?

3 min read - The Office of the National Cyber Director (ONCD) recently released a new report, “Back to the Building Blocks: A Path Toward Secure and Measurable Software." The report is one of the first major announcements from new ONCD director Harry Coker and makes a strong case for adopting memory-safe programming languages. This new focus stems from the goal of rebalancing the responsibility of cybersecurity and realigning incentives in favor of long-term cybersecurity investments. Memory-safe programming languages were also included as a…

CISA hit by hackers, key systems taken offline

3 min read - The Cybersecurity and Infrastructure Security Agency (CISA) — responsible for cybersecurity and infrastructure protection across all levels of the United States government — has been hacked. “About a month ago, CISA identified activity indicating the exploitation of vulnerabilities in Ivanti products the agency uses,” a CISA spokesperson announced. In late February, CISA had already issued a warning that cyber threat actors are exploiting previously identified vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways. Ivanti Connect Secure is a…

DOJ’s crackdown: A brief look at hacker group takedowns

3 min read - The Department of Justice (DOJ) is ramping up efforts focused on disrupting cyber criminal organizations operating within and outside of United States borders. The dismantling of Volt Typhoon, a prolific hacker collective, marked a turning point in the DOJ's offensive against cyber crime syndicates. The group was notorious for its brazen cryptocurrency scams and heists. Through coordinated global law enforcement efforts, individuals linked to the organization were apprehended, assets were frozen and critical infrastructure was seized. The success of the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today