The Conti ransomware group is claiming to have infiltrated Costa Rica’s government and has issued a ransom demand of $20 million, along with a threat to overthrow the government of president Rodrigo Chaves.
Chaves said the group may have infiltrated up to 27 institutions across various levels of government, saying the country was “at war” with the Conti ransomware gang but not offering any indication the ransom would be paid.
Conti claimed to have stolen 672.19 GB of data from government agencies in Costa Rica and allegedly already leaked 97% of that data.
The group also claimed to have insiders in Costa Rica’s government and said that it plans to continue working on gaining access to other systems in Costa Rica.
“We have our insiders in your government,” Conti said Tuesday morning, as reported by the AP. “We are also working on gaining access to your other systems, you have no other options but to pay us. We know that you have hired a data recovery specialist, don’t try to find workarounds.”
Costa Rica’s Ministry of Finance agency was attacked and has been without digital services since April 18; thus far the agency has failed to pay.
Conti Involvement Begs for Deeper Analysis
Aaron Turner, vice president of SaaS posture at Vectra, an AI cybersecurity company, said if this were any other ransomware gang, the threat would not be noteworthy.
“But, because it’s Conti, and because Conti has explicitly aligned themselves with the military activities of Putin’s Russia, this threat should merit a second bit of analysis,” he said. “Specifically, due to Costa Rica’s proximity to Venezuela and Cuba, Russia has a history of wanting to practice a sort of reciprocity when it comes to their foreign policy.”
He said if the U.S. is supporting ‘enemy’ forces in Russia’s backyard, then there is definitely a desire for some sort of payback.
“Fortunately for Costa Rica, Conti is not exactly the most sophisticated group of ransomware operators, as was evidenced by the loss of their internal communications logs,” he said. “Costa Rica is also fortunate that Russia’s invasion of Ukraine has gone so horribly that there likely are insufficient military resources for a combined cyberattack and conventional attack on the other side of the world.”
Turner said while the threat to overthrow the government is interesting from an academic analysis perspective, the likelihood of an actual coup being coordinated by Conti is very, very low.
“That is not to say that Conti will not inflict significant damage on Costa Rican government systems through their ransomware capabilities, which could lead to disruption of social services and overall weakening of the government,” he added.
Max Galka, CEO, founder, and chief data scientist at Elementus, agreed. While he didn’t think the threat of regime change was credible, ransomware inside a federal or national government is still a major crisis.
“If I were in the shoes of the Costa Rican government, I would be extremely nervous,” he said. “And the truth is, even they probably don’t know the full extent of what the ransomware could do.”
He pointed out that if they chose not to pay, they risked having core government functions crippled.
That means the full spectrum of critical national infrastructure could be in play, potentially impacting the entire population, especially if it touches on law enforcement, transportation, national security or other critical government functions.
“And if that’s not enough, there is no telling what sensitive data the ransomware group may gain access to and threaten to release,” Galka added.
Ransomware Takes Aim at Bigger Targets
The Conti threat to Costa Rica is another data point in the trend toward bigger targets, greater threats to larger populations and constantly evolving means of deploying the malware.
“Since these attacks are taking place on the blockchain, they are essentially crimes being committed in broad daylight with the potential to topple entire governments and bring large populations to a standstill,” Galka said.
From his perspective, there is a need for international coordination and cooperation at the government level, like U.S. president Joe Biden’s thirty-nation ransomware summit held in Washington last October, as well as coordination from the private sector.
Ivan Righi, senior cyber threat intelligence analyst at Digital Shadows, a provider of digital risk protection solutions, agreed that ransomware attacks aimed at governments are almost certainly an impending threat.
“Since the Russia-Ukraine conflict began, many ransomware groups expressed support for Russia and stated that they would retaliate against foreign countries that targeted Russia with any cyberattacks,” he said. “Conti was one of those groups.”
On 25 Feb 2022, Conti announced its “full support” for the Russian government and warned that any attacks against Russia would result in retaliation using “all possible sources.”
“As many ransomware gangs have already offered support to Russia, it is possible that we could see cooperation between operators of high-profile ransomware developers and Russia,” Righi said. “This, in turn, could result in heightened threats to critical sectors and governments.”
From Righi’s perspective, governments should protect themselves as any business would.
“This means protecting against all possible attack vectors of ransomware, including social engineering, brute forcing, stolen credentials and vulnerability exploitation,” he said.
Steps organizations can take include monitoring publicly exposed services/ports, enforcing strong credentials, training employees to identify phishing attacks and frequently patching systems with the latest security patches.
“In addition, organizations should use backups that are not connected to their main infrastructure,” he added.
Galka explained that once a ransom has been paid, the bad actors still need to be able to convert that into fiat currency. For that, they need to tap into the cryptocurrency financial system.
“So, one thing that the rest of the world can do is freeze the attackers’ access to the financial system, to prevent them from cashing out the ransom proceeds,” Galka said. “We also need international coordination within the private sector to monitor for ransomware and make sure that these global bad actors don’t have access to the crypto financial system.”
Galka sees the attack as a case study for an alarming trend, whereby ransomware is tunneling deeper into governments and threatening more critical and higher-value targets.
“What’s so frightening about this trend is not where things are today with ransomware, but where they go if you project that trend forward,” he said. “It’s gone from individuals to small and medium businesses to enterprises to local infrastructure to national infrastructures, such as the Colonial Pipeline.”
He pointed out that this attack on the federal government of Costa Rica represented a continuation of that trend beyond anything we’ve seen before.
“I don’t see any scenario in which a threat of toppling the government is credible, but the fact that it’s even being discussed is scary,” Galka said.