November 16, 2022 By Jonathan Reed 2 min read

In late April, after weeks of major ransomware attacks, Costa Rica declared a state of emergency. Newly-elected President Rodrigo Chaves took this measure, usually reserved to deal with natural disasters, to free up the government to react more decisively to the incident. The Russian-based Conti gang has claimed they launched the attack.

Meanwhile, the U.S. Department of State offered a $10 million reward for information that leads to finding anyone holding a key leadership role in the Conti gang. The U.S. also offered $5 million for “information leading to the arrest and/or conviction of any individual in any country conspiring to participate in or attempting to participate in a Conti variant ransomware incident.”

At war with the Conti gang

Chaves declared that his country was “at war” with the attackers. This may not be too far off. Reportedly, in a message posted to its darknet blog, Conti urged Costa Ricans to pressure their government to pay a $20 million ransom. In another post, Conti warned: “We are determined to overthrow the government by means of a cyberattack, we have already shown you all the strength and power.”

Beyond the digital attack, old-fashioned spying may also be at play. Chaves stated that actors within the country had also worked with Conti in the attack.

No ransom paid

The Costa Rica government refused to pay the ransom and has scrambled to get systems and services back online. The Costa Rican Treasury told civil servants that the attack had halted automatic payment services. Workers were warned the government was unable to pay them on time. Instead, they would need to apply for their salaries by email, or by hand on paper. The attack also affected the country’s foreign trade. It disrupted its tax and customs systems, which led to import and export logistics collapse.

Download the Definitive Guide to Ransomware

Why Costa Rica?

Many people have speculated about why the attackers targeted Costa Rica. Some believe it was due to the country siding with Ukraine in its war with Russia, said Security Week. Others think the motives are purely financial or related to Costa Rica’s recent presidential election. Meanwhile, other smaller countries worry that this could be the start of a trend.

Rather than target large nations, threat actors may begin to attack smaller countries. This may occur since small countries may not have as many resources to thwart an attack. Also, their capacity to retaliate may be limited compared to larger countries such as the United States or European nations.

Ransomware damage done

Ransomware analyst Brett Callow said he looked at some of the leaked files from the Costa Rican finance ministry and “there doesn’t seem to be much doubt that the data is legit.”

Conti’s extortion site indicated it had published 50% of the stolen Costa Rican government data,  including 850 gigabytes of material from the Finance Ministry and other institutions’ databases.

Learn about malware prevention

If you have questions and want a deeper discussion about the malware and prevention techniques, you can schedule a briefing here. Get the latest updates as more information develops on the IBM Security X-Force Exchange and the IBM PSIRT blog. If you are experiencing cybersecurity issues or an incident, contact X-Force to help: U.S. hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034. More cybersecurity threat resources are available here.

More from News

White House cements CISA’s role as national coordinator for cybersecurity

2 min read - In 2013, the Obama Administration rolled out "The Presidential Policy Directive (PPD) on Critical Infrastructure Security and Resilience", a forerunner to the Cybersecurity and Infrastructure Security Agency (CISA), created "to strengthen and maintain secure, functioning and resilient critical infrastructure."The directive was groundbreaking in 2013, noting the importance of the rising risk of cyberattacks against critical infrastructure. But as cyber risks are constantly shifting, every cybersecurity program needs to be re-evaluated, and CISA is no exception. That’s why, in April 2024, President…

Debate rages over DMCA Section 1201 exemption for generative AI

3 min read - The Digital Millennium Copyright Act (DMCA) is a federal law that protects copyright holders from online theft. The DMCA covers music, movies, text and anything else under copyright. The DMCA also makes it illegal to hack technologies that copyright owners use to protect their works against infringement. These technologies can include encryption, password protection or other measures. These provisions are commonly referred to as the “Anti-Circumvention” provisions or “Section 1201”. Now, a fierce debate is brewing over whether to allow…

CISA Malware Next-Gen Analysis now available to public sector

2 min read - One of the main goals of the Cybersecurity and Infrastructure Security Agency (CISA) is to promote security collaboration across the public and private sectors. CISA firmly believes that partnerships and effective coordination are essential to maintaining critical infrastructure security and cyber resilience. In faithfulness to this mission, CISA is now offering the Malware Next-Generation Analysis program to businesses and other organizations. This service has been available to government and military workers since November 2023 but is now available to the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today