Image Credit: EDRM

This story has been covered across cybersecurity media, but it’s so big I’m surprised it hasn’t been covered even more, by mainstream media. A ransomware attack by the Conti ransomware group has left the Costa Rican government severely crippled – to the point that staff at affected organizations have turned to pen and paper to get things done!

We couldn’t contain it and they’ve encrypted the servers. We’ve disconnected the entire ministry.

Message received by Jorge Mora, Costa Rica’s digital governance chief

Gregory Bufithis sums up key points in an article on his terrific site here:

• Jorge Mora, Costa Rica’s digital governance chief, received a message in April from one of his officials: “We couldn’t contain it and they’ve encrypted the servers. We’ve disconnected the entire ministry.”
• He was being updated on a harrowing cyber-assault by a notorious Russian ransomware group called Conti, which started at the Central American country’s ministry of finance and eventually ensnared 27 different ministries in a series of interlinked attacks that unfurled over weeks.
• The attack was “impressive in its scope”, according to one western official. Usually, hackers manage to gain access to single systems but Costa Rica’s case highlights the risk posed by weak cyber security to a nation’s entire IT infrastructure. In Costa Rica, Conti had spent weeks, if not months, of tunnelling around in its government systems, leaping from one ministry to the other.
• Conti offered to return the data: at a price of up to $20mn. But Costa Rica’s government refused to pay the ransom. Instead, newly installed President Rodrigo Chaves declared a national emergency, launched a hunt for alleged “traitors” and leaned on tech savvier allies such as the US and Spain to come to its aid. “We are at war, and that is not an exaggeration,” Chaves said in the days after his inauguration in mid-May, blaming the prior administration for hiding the true extent of the disruption, which he compared to terrorism.

Alas, as Gregory notes, Conti’s most impactful attack turned out to be its last. By the end of June, Conti’s public-facing website, where it had taunted Costa Rica and other victims, was shut down, and so was its dark-web negotiations site, security researchers said. Conti’s downfall began after declaring its support for the Russian invasion on Feb 24. Following that, the group was betrayed by one of its insiders, a Ukrainian hacker-for-hire, who leaked their toolkits, internal chats and other secrets online in retaliation.

This compounded the issue for Costa Rica, as Gregory notes. Costa Rica’s efforts to regain control of their IT systems came alongside Conti’s demise, further complicating their efforts. One western intelligence official who has been fully briefed on the investigations, said that even if Chaves had agreed to pay the ransom, which varied from $20mn to as low as $1mn, it’s “not clear who was on the other end of the line. By June, nobody was answering the phone, figuratively speaking. Conti in Costa Rica was somewhat of a desperate last try to gain any sort of title, some buzz around their actions”.

Of course, paying the ransom is no guarantee that you’ll get your data. As I recently published here in a list of cyber stats, out of all ransomware victims, 32% pay the ransom, but they only get 65% of their data back. Yet, only 57% of businesses are successful in recovering their data using a backup after a ransomware attack. So, many organizations are “damned if they do and damned if they don’t”.

Gregory reports that it’s so bad that, until recently, the country’s customs systems had to resort to using paper and email, slowing down the entire process. But a senior Costa Rica government official has said many of the finance ministry’s systems have now been restored, including customs and salaries. So, there may finally be hope.

Wired reports that Conti has more than 1,000 ransomware attacks (per CISA) and extorted more than $180 million from its victims – just last year(!) – and more than twice as much as the next highest ransomware group. Now, remnants of Conti are re-emerging as part of new groups, such as BlackBasta, which has already hit 50 organizations in just a few months (including this one).

This analogy may be a reach, but I’ll say it anyway: If Conti is the “Beatles of ransomware groups”, does that make BlackBasta the “Paul McCartney and Wings of ransomware groups”? Unfortunately, for companies – and even governments like Costa Rica – it means that the hits just keep coming.