Costa Rica declares a state of emergency over Conti cyberattack

President Rodrigo Chaves signed the decree on a national cybersecurity emergency on his first day in office.

President Chaves was inaugurated on May 8 and declared a state of emergency due to cyberattacks on his first day in office.

The presidential decree declares a national emergency in the entire public sector. It is meant to provide the state with additional resources to combat the fallout from a Conti cyberattack the country suffered in April.

Last month, the group attacked the Government of Costa Rica, severely impacting the country's foreign trade by disrupting its customs and taxes platforms.

The attackers stole over 670 GB of data from government institutions and had been gradually leaking the information since mid-April. The Ministry of Finance was the first to suffer from the attack, sparking fears that hackers got a hold of taxpayer information.

Costa Rica's treasury has been operating without digital service since April 18, which means that businesses and citizens have to fill in forms manually, severely overloading the public sector.

According to a post on Conti's leak site shared by Emisoft's threat analyst Bret Callow, one of the affiliates dubbed 'unc1756' is leaking data stolen from the Costa Rican government because the country refused to succumb to threat actors' ransom demands.

"The purpose of this attack was to earn money, in the future I will definitely carry out attack of a more serious format with a larger team, Costa Rica is a demo version," reads the statement.

The US State Department announced a reward of up to $15 million for information on the Russia-based Conti ransomware gang.

The reward comprises $10 million for information leading to the identification and location of Conti leaders and $5 million for information resulting in the arrest of anyone conspiring with Conti.

According to the FBI, the Conti Ransomware variant is the costliest strain of ransomware ever documented, with victim payouts exceeding $150 million.

Conti ransomware

Conti started operating in late 2019, and it runs Conti.News data leak site. The group gets initial access through stolen RDP credentials and phishing emails with malicious attachments.

Experts believe that Conti attacks resemble tactics seen in nation-state attacks. The groups also rely on human-operated attacks instead of increasingly popular automated intrusions. Conti attempts to find a buyer for the data before posting it on the site.

Ireland's HSE, Volkswagen Group, several US cities, counties, and school districts were affected by Conti. Conti has been observed to be in the networks for anywhere between a few days to even weeks before actually launching ransomware.

The group is believed to be based in the second largest Russian city of Saint Petersburg. It's also speculated that the people behind Conti used to be in charge of another prominent ransomware cartel, Ryuk.

As with many modern extortion gangs, Conti offers a Ransomware-as-a-Service (RaaS) package, selling its malware to affiliates. The core team takes 20-30% of a ransom payment, while the affiliates keep the rest of the loot.

In March, after Conti has announced its allegiance with Vladimir Putin, a pro-Ukrainian insider has set up a Twitter account named Conti leaks to expose the ransomware gang, which proved to be a nightmare for many of its victims, including Ireland's HSE, Volkswagen Group, several US cities, counties, and school districts.

More from Cybernews:

Crooks exploit chemical attack fears in Ukraine

AGCO ransomware attack knocked out equipment production for days

US chasing 'costliest strain of ransomware ever seen'

Colonial Pipeline's ripple effect: are wounded ransomware gangs getting angrier?

The dark side of the metaverse: taking your nightmares online

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked