Ransomware Hackers Declare Total War on Costa Rica

May 22, 2022 Topic: Ransomware Region: Latin America Blog Brand: Techland Tags: RansomwareCosta RicaCyber AttackCyber Security

Ransomware Hackers Declare Total War on Costa Rica

President Rodrigo Chaves declared a nationwide state of emergency on his first day in office and said strong countermeasures will now allow the government to “respond to those attacks as criminal actions.”


The small Central American nation of Costa Rica is currently battling high-tech hackers who are threatening to overthrow the government if it doesn’t pay them $20 million.

Costa Rican president Rodrigo Chaves took office on May 8 for a four-year term, vowing to save the country and warning that “if the political class fails one more time, the country could fall apart.” Now his administration is knee-deep in the middle of a digital war that’s only getting worse, with taxes unable to be collected and government employees going unpaid.


Chaves has condemned “cyber-terrorists” from the Russian-based Conti cartel as being behind the sustained ransomware assault. Numerous government departments have been struggling to keep running properly for over a month now since Conti began its attack in mid-April.

Conti has hit core systems in dozens of departments of the Costa Rican government, including the treasury, labor ministry, tax administration, its social security fund, and many more. The hackers have also crippled certain areas of Costa Rica’s electrical grid and say they will also begin attacking private businesses in the country if the government doesn’t pay up.

Chaves declared a nationwide state of emergency on his first day in office and said strong countermeasures will now allow the government to “respond to those attacks as criminal actions.” Chaves’ predecessor, President Carlos Alvarado, refused to budge and paid nothing to Conti when it initially issued its demands.

Conti has warned that if it doesn’t receive payment by May 23, it will scrap the decryption keys that would regularize government systems again, plunging the country’s IT systems into anarchy and delivering a potentially fatal blow to its already ailing economy (which was already in trouble from coronavirus tourism slowdowns). Costa Rica is also struggling in international trade, which has been slowed down by Conti’s hacks on the national customs system. Conti also says it will publish forty-six remaining gigabytes of classified information online from sensitive departments of Costa Rica’s government. It has already published the majority of 670 gigabytes obtained from its hacks but says the remaining data is even more sensitive.

“You have no other options but to pay us,” Conti wrote menacingly on its darknet site, urging Costa Rican citizens to publicly pressure the government to tender the money so that people’s lives can return to normal. If this government won’t “stabilize” the crisis, maybe it needs to go, Conti said.

This is far from the first time that hackers have hit governments and key industries, as we saw in the JBS hack last year, for example. In that case, JBS, the world’s largest beef supplier, paid out $11 million to ransomware hackers from REvil to restore their systems to normality.

As Kevin Collier noted for CNBC: “The U.S. government has long recommended ransomware victims not pay their attackers, though most ransomware gangs are not sanctioned entities and paying them is not illegal.”

The Colonial Pipeline hack one year ago in May also showcased just how vulnerable many crucial sectors are to cybercriminals. The sophisticated ransomware attack saw the Russia-based DarkSide group hijack key Colonial systems in the United States with ransomware, forcing the company to shut down over 5,000 miles of pipeline for six days.

After extorting approximately $5 million from Colonial, DarkSide was counterattacked by the FBI who used confidential “tradecraft” to access one of their cryptocurrency wallets and withdraw $2.3 million worth of Bitcoin.

One of the unique features of the Conti operation in Costa Rica is that the group claims to have friendly assets inside the government itself who are aiding them. This may well be a bluff, despite Chaves concurring that it is true. Chaves said that there are “very clear indications” they do have inside help which he can’t divulge details on for national security reasons. Ransomware expert Brett Callow says this is likely simply a “for-profit” operation and they may not have any insiders. Either way, the stress that Conti is exerting on the small nation of five million is significant. So too is the further damage they can do if they don’t get at least part of their ransom.

Russia-based Conti is one of the most effective ransomware gangs in the world and has extracted huge sums from targets in every place and industry imaginable. It made waves for launching a devastating broadside in May of last year against Ireland’s health services, causing weeks of severe disruptions and an estimated $48 million in recovery costs. Ireland never paid the $20 million the group demanded at that time, and it is not fully clear how the Irish saved their system from the ransomware threats without paying.

As Marco Figueroa observed: “This group has shown itself to be a multi-layered organization that takes time to encrypt endpoints, servers, and backups. This complete control adds pressure to the victims to pay the ransom requested from Conti.”

The Conti gang is given free rein by the Putin administration and has largely evaded any serious consequences inside Russia for its criminal actions. While the closeness of its ties to Russia’s FSB security architecture and Cozy Bear (APT29) hackers remain in question, disclosed chat logs show that the group has agreed not to cross Russia’s geopolitical interests in return for the authorities turning a blind eye. The group has members in various countries outside Russia, and not all agree with the pro-Putin stand, but its general thrust is pro-Russian.

Conti increased its ransom demand from $10 million to $20 million last weekend after the Costa Rican government ignored its ultimatum. The message demanding a higher ransom was addressed to the Costa Rican government and the Biden administration who it termed “US terrorists.” The group further claimed that Costa Rica’s appeal to “international allies” like the United States was ill-advised, claiming mockingly that: “...All this could have been avoided by paying you would have made your country really safe, but you will turn to Bid0n [sic] and his henchmen, this old fool will soon die.”

Conti also went after the Peruvian government recently as well, announcing a successful hack of the nation’s intelligence agency on April 27. They are demanding an unspecified amount of money in return for not publishing troves of classified information and not carrying out further attacks. They have also specifically said they’ll shut down Peru’s water supply and electricity if Lima doesn’t get serious and start talking about a payout.

This ongoing crisis in Costa Rica is a warning about the danger of cyberterrorism and just how dangerous it can be to have a soft cyber underbelly. Brazil and Argentina have also been hit by serious and broad cyberattacks in the last several years due to having vulnerable systems. With Chaves refusing to pay and saying he will get even more serious, he is playing a game of digital chicken with his country’s fate in the balance. He is now forming a digital “SWAT team” of experts who he hopes can shut this attack down before it becomes an even bigger headache.

Costa Rica is already hardening up its systems with outside help from allies, but the implications of this attack shouldn’t be underestimated.

When one group of hackers can hold an entire nation hostage and humiliate it on the global stage, the problem and implications are very serious indeed. Cybersecurity is a growing necessity not only for private organizations but also for governments. This starts with simple things like multi-factor authentication (MFA), endpoint detection and response (EDR), privileged access management (PAM), and hardening systems in various ways.

The U.S. State Department is offering $15 million in rewards for information contributing to the arrest of those leading or aiding the Conti group. According to the FBI, there have been 1,000 successful Conti ransomware attacks as of January of this year leading to total payouts of over $150 million.

There were 2,690 reported major ransomware attacks in the United States in 2021, up 92.7 percent from 2020.

Paul Brian is a freelance journalist focused on geopolitics, religion, and culture.

Image: Reuters.