In April 2022, the Russian-based Conti ransomware gang broke into the computers of several systems belonging to the Costa Rica government. After almost a month of these ongoing attacks, the new President, Rodrigo Chaves declared a national emergency, referring to the attackers as “cyberterrorists”. The Conti attack on Costa Rica shows why ransomware is such a dangerous problem for organizations and governments all over the world.
Groups like Conti leverage ransomware to encrypt victims’ computers. They then demand payment to unlock these devices. Costa Rica’s national laws prohibit participating in such negotiations, which is why the government – led by President Carlos Alvarado at the time of the attack – refused to pay the demanded ransom of $10 million.
Conti’s Costa Rica ransomware campaign began in April with an attack on the Finance Ministry which affected many of its critical systems. The ransomware then quickly spread to several other Ministries and agencies. Even a month later, many of these agencies’ systems were not functioning normally.
In addition to encrypting critical government systems, Conti also threatened to publish the data they stole. By May 12th, they had published about 97% of this data on the dark web.
In 2021, Conti extorted $180 million from various victims, exceeding the combined earnings of all other ransomware gangs. Moreover, their ransomware variant is the costliest ransomware strain ever documented, with some victim payouts exceeding a hefty $150,000,000. Even the FBI has identified Conti as one of the most prolific ransomware groups of 2021.
In March 2022, a huge cache of leaked documents revealed details about the Conti group including its size, leadership, operations, and its valuable ransomware source code. Allegedly, the gang operates like any other business with multiple departments, “employees”, and even performance reviews and employee of the month rewards.
The group also has a team to research current antivirus systems to test their malware against. This shows that they’re very serious about “improving” their ransomware so they can continue to earn high payouts from their extortion campaigns.
Although most of Conti’s 350 members speak Russian and are based in the country, the group has an international scope. Security researchers are continually uncovering members’ names to publicly shame them, but the group’s activities show no signs of slowing down as the Costa Rica attacks show. It now remains to be seen which country or organization will be their next victim.
Previously, Conti mainly targeted the manufacturing, food, and agriculture sectors. Now, the gang seems to be targeting even more lucrative victims like government ministries. In February, after Russian troops invaded Ukraine, Conti threatened to hack the critical infrastructure of any organization or government that dared to launch cyberattacks against Russia. Considering that Costa Rica was one of the first countries to condemn Russia’s actions, it’s not surprising that the country is Conti’s latest victim.
The attackers knew that a ransomware attack could cripple critical agencies and lead to serious digital outages. By May 12th, these outages had cost the country a whopping $200 million, which prompted the new President to declare a national emergency.
The Costa Rica attacks prove that the FBI’s warning that Conti ransomware is among the three top variants targeting critical infrastructure was spot-on. Moreover, the scale and impunity of the attack show that any government or organization can become a victim of powerful and sophisticated ransomware groups like Conti.
With ransomware or any other type of cyberattack, prevention is always better than cure. Being proactive about cybersecurity can help organizations avoid the costly consequences of an attack. Regular backups, employee training, and a comprehensive security solution are just some of the measures that can help organizations defend themselves against Conti’s ransomware or any other type of malware.
December 10 - Blog
Hardware token protocols: what are they, and what role do they play in your organization's cybersecurity? In today's article, our ethical hackers outline the most common hardware token protocols.
October 24 - Blog
Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.
September 27 - Blog
InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.
© 2024 Packetlabs. All rights reserved.