Almost a week after the ransomware attack damaged Costa Rican government computer systems, the country refused to pay a ransom as it scrambled to devise solutions and prepared itself as hackers began leaking stolen data. The incident was claimed by the Russian-speaking Conti gang, although the Costa Rican officials had not confirmed its source.
On Monday, the Finance Ministry was the first to disclose issues. From tax collection through importation and exportation operations through the customs agency, multiple systems have been impacted. Following that, there were attacks on the social security agency’s human resources system, as well as the Labor Ministry and others.
The initial attack led the Finance Ministry to shut down the system that pays a large portion of the country’s public employees and government pension payments for many hours. It has also had to give tax payment extensions. Conti did not specify a ransom figure, but Costa Rican President Carlos Alvarado stated, “The Costa Rican state will not pay anything to these cybercriminals.” An amount of $10 million was circulating on social media, although it was not reflected on Conti’s website.
Costa Rican corporations were concerned that sensitive information given to the government might be leaked and used against them. At the same time, ordinary Costa Ricans were worried that their personal financial information could be used to empty their bank accounts. According to Christian Rucavado, executive director of Costa Rica’s Exporters Chamber, the attack on the customs agency has brought the country’s import and export logistics to a halt. He detailed a race against the time to retrieve perishable things from cold storage, and he claimed they still didn’t have an estimate for the financial losses. Trade was still happening, albeit at a considerably slower pace.
“Some borders have delays because they’re doing the process manually,” Rucavado said. “We have asked the government for various actions like expanding hours so they can attend to exports and imports.” He stated Costa Rica generally exports $38 million worth of goods daily.
According to Allan Liska, an intelligence analyst with security company Recorded Future, Conti was pursuing twofold extortion: encrypting government information to block agencies’ capacity to operate and publishing stolen materials to the group’s extortion sites on the dark web if a ransom wasn’t paid. He added that the first part is usually feasible if the systems have efficient backups, but the second part is challenging, depending on the sensitivity of the stolen data. Conti’s ransomware infrastructure is often rented out to “affiliates” who pay for the service. The affiliate attacking Costa Rica may be anywhere in the world.
When asked why Central America’s most stable democracy, which is famed for its tropical nature and beaches, would be a target for hackers, Liska responded it’s generally because of flaws. “They’re looking for specific vulnerabilities,” he said. “So the most likely explanation is that Costa Rica had a number of vulnerabilities and one of the ransomware actors discovered these vulnerabilities and was able to exploit it.”
“There doesn’t seem to be much doubt that the data is legit,” said Brett Callow, a ransomware expert at Emsisoft, after looking at one of the hacked files from the Costa Rican finance ministry. Conti’s extortion site noted that it had disclosed half of the stolen material on Friday. According to the report, it comprised more than 850 terabytes of data from the Finance Ministry’s and other agencies’ databases. “This is all ideal for phishing, we wish our colleagues from Costa Rica good luck in monetizing this data,” it said. This contradicts Alvarado’s claim that the attack had nothing to do with money.