Fears grow for smaller nations after ransomware attack on Costa Rica escalates


It's been a rough start for the newly-elected Costa Rica president Rodrigo Chaves, who less than a week into office declared his country "at war" with the Conti ransomware gang.

"We're at war and this is not an exaggeration," Chaves told local media. "The war is against an international terrorist group, which apparently has operatives in Costa Rica. There are very clear indications that people inside the country are collaborating with Conti."

Conti's assault on the Costa Rican government began in April. The country's Finance Ministry was the first hit by the Russia-linked hacking group, and in a statement on May 16, Chaves said the number of institutions impacted had since grown to 27. This, he admitted, means civil servants wouldn't be paid on time and impact the country's foreign trade.

In a message posted to its dark web leaks blog, Conti urged the citizens of Costa Rica to pressure their government to pay the ransom, which the group doubled from an initial $10 million to $20 million. In a separate statement, the group warned: "We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power."

Conti is among the most prolific hacking groups. The FBI warned earlier this year that the gang was among "the three top variants" that targeted businesses in the United States, and it has been blamed for ransomware attacks targeting dozens of businesses, including Fat Face, Shutterfly, and the Irish healthcare service.

But Conti has picked up its pace in recent months: in January and February it published 31 victims on its leaks blog. In March and April, it posted 133 victims.

Why Costa Rica?

Some believe that Conti's campaign against Costa Rica is motivated for siding with Ukraine. Experts say all signs point to money.

Brett Callow, a ransomware expert and threat analysis at Emsisoft, told TechCrunch that "there's no reason to believe that the attack on Costa Rica is other than financially-motivated." And Maya Horowitz, the vice president of research at Check Point Software, said based on their research, Conti's extortion planning is "very focused and based on the ability of the victim to pay."

Read more on TechCrunch

  • The year the tide turned on ransomware

  • Are embedded devices the next ransomware target?

  • Conti's internal chats leaked online after declaring support for Russian invasion

Chaves has repeatedly blamed the attack on his predecessor, former president Carlos Alvarado, for not investing in cybersecurity. While it's unclear exactly what measures the country had implemented to protect against cyberattacks, Jorge Mora, the country's director of digital governance recently said that four million hacking attempts were recently blocked thanks to "protection systems" installed across institutions.

But it's more likely that Costa Rica was just unlucky and targeted as part of a wider operation rather than due to any perceived weakness.

"Situations like this reflect the asymmetric realities of attack and defense where attackers only need to be lucky once," Jamie Boote, a software security consultant at the Synopsys Software Integrity Group, told TechCrunch. "If one in one hundred targets becomes a victim that can pay out millions in ransom, then it pays to target hundreds."

Callow adds that it's also possible that Conti targeted Costa Rica due to the increased success U.S. and European law enforcement have seen in disrupting their operations.

"They may not make as much money off attacks in countries like Costa Rica and Peru, but they're not going to end up with a multi-million dollar bounty on their heads or with U.S. Cyber Command in their servers," said Callow. "Less gain, less risk. Or, at least, that's what they may believe."

An inside job?

In a message posted to its dark web blog over the weekend, Conti claimed it had "insiders in [the Costa Rican] government," which could go some way to explaining why the country became a target, or why the attack had such a devastating impact. This claim was echoed by President Chaves earlier this week, saying "there are very clear indications that people within the country are collaborating with Conti."

However, security experts tell TechCrunch that Conti's claims should be treated with a heavy dose of skepticism.

"Dark web records reveal a user by this moniker has only been active on a popular cybercrime forum since March 2022 - around a month before the attacks on Costa Rica started," Louise Ferrett, threat analyst from Searchlight Security, tells TechCrunch. "So, while it's possible Conti could have bribed or socially engineered insiders within the country's government, it seems unlikely they would have amassed so much influence so quickly."

"It is a known tactic for ransomware gangs to make exaggerated and outlandish threats in order to instill a sense of urgency in the victim and obtain a ransom payment," Ferrett said.

What - or who - is next?

"The success of these attacks should concern smaller governments around the world," Allan Liska, an intelligence analyst at Recorded Future tells TechCrunch. He added:

This is a viewpoint shared by Callow, who tells TechCrunch that we can expect to see organizations in countries outside of the U.S. receive more attention from ransomware gangs, particularly in low-income countries where cybersecurity spending is lower. "The U.S. public and private sectors are vulnerable to cyberattacks, and may be even more vulnerable in other countries," he said.

But we are already seeing the emergence of similar attacks on smaller nation states. Greenland's government this week confirmed that the island's hospital system was "severely" impacted by a cyberattack, which has meant that hospital workers cannot access any patient medical records.

Conti's attack against Costa Rica is ongoing. In a post on Friday, Conti said it will delete the encryption keys used to lock Costa Rica's government systems on May 23. As of the time of writing, Costa Rica's government has refused to give in to Conti's ransom demands.


More Related News

TechCrunch+ roundup: CEO pregnancy checklist, decision-tree planning, reassessing valuations
TechCrunch+ roundup: CEO pregnancy checklist, decision-tree planning, reassessing valuations

Property technology has radically impacted the way we live and travel, but the real estate industry has successfully resisted most attempts to innovate. Prospective homeowners can qualify for mortgages from their mobile phones, but until there are more companies to help them find affordable housing or adequately plan for the largest purchase they'll ever make, proptech can't create optimal value for consumers. After the success of startups like Airbnb and smart-home players like Google, Amazon and Samsung, investors are "searching for good ideas and quality execution," according to Jake Fingert and Lionel Foster of VC firm Camber Creek.

RansomHouse extortion group claims AMD as its latest victim
RansomHouse extortion group claims AMD as its latest victim

AMD said it is investigating a potential data breach after RansomHouse, a relatively new data cybercrime operation, claims to have extorted data from the U.S. chipmaker. An AMD spokesperson told TechCrunch that the company "is aware of a bad actor claiming to be in possession of stolen data," adding that "an investigation is currently underway." The group claims to be targeting companies with weak security, and claimed it was able to compromise AMD due to the use of weak passwords throughout the organization.

FTX says no active talks to buy Robinhood
FTX says no active talks to buy Robinhood

Crypto exchange FTX is open to partnering with Robinhood Markets, its CEO Sam Bankman-Fried said in a statement shared with TechCrunch. Bloomberg News...

Period tracker Stardust surges following Roe reversal, but its privacy claims aren
Period tracker Stardust surges following Roe reversal, but its privacy claims aren't airtight

Period tracking app Stardust surged to the top of the U.S. Apple App Store in the wake of the Supreme Court's decision to overturn Roe v. Wade after the app promised it will encrypt its users' private data to keep it out of the hands of the government. The decision to reverse Roe overturned 50 years of constitutional protections for abortion rights in the United States, allowing individual states to create laws to criminalize abortion. Others are abandoning their current period trackers and turning to apps like Stardust instead as a result of the company's strong statement issued in light of the decision to overturn Roe.

Fintech Amount, which was valued at $1B last year, lays off 18% of staff
Fintech Amount, which was valued at $1B last year, lays off 18% of staff

Amount, a fintech that reached unicorn status last year, has laid off 18% of its workforce. The exact number of how many people were affected is not known, ...

Leave a Comment

Your email address will not be published. Required fields are marked with *

Cancel reply


Top News: Economy