Recent Cyber Attacks

Conti Costa Rica Ransomware Attack Explained

April 28, 2024

Summary Of The Attack

Costa Rica was attacked by Conti in April 2022.
After the initial ransom demands were rejected, several ministries and
agencies have since been attacked.
Over 600GB of data stolen from the attack has been leaked online.
Costa Rica has declared a state of emergency as a result of the impact of the incident.
The US Department of State is offering a $15 million bounty for the arrest
of those responsible for deploying Conti.

What Happened?

On May 8th, 2022 the President of Costa Rica Rodrigo Chaves declared a national emergency due to an ongoing Conti ransomware campaign against several Costa Rican government entities starting in April of this year.

Conti is a prolific ransomware-as-a-service operation that has been infecting and damaging systems since it was first observed in 2020.

Attributed to the threat group called WizardSpider by CrowdStrike in 2019.

The group is also known for TrickBot and the Ryuk ransomware distributed through the ZLoader botnet which we previously reported as shutdown by Microsoft.

Conti Contains New And Novel Techniques

Conti ransomware contains new and novel techniques that few other ransomware variants have exhibited so far.

Conti’s design makes it one of the fastest encrypting ransomware, able to run 32 simultaneous encryption threads, and it can be remotely controlled via command-line options.

Attackers are able to target and control what files are encrypted and in what order, allowing the malware to quickly encrypt important shared data without immediately making the local system unusable to users which could allow an enterprise time to act.

The attack on the nation of Costa Rica began with a Conti cyber attack at the Ministry of Finance on April 18th.

The Ministry is still evaluating the scope of the incident and has yet to determine what, if any, impact there may be on taxpayers’ information or payments.

Free IT Security Policies

Get a step ahead of your goals with our comprehensive templates.

Download Now

The Ransom Demand

The ransom demanded was $10 million or else the group would continue to attack the nation’s Ministries.

Costa Rica’s government declined to pay the initial ransom.

Keeping good on their promise, WizardSpider continued its campaign and has so far infected:

The Administrative Board of the Electrical Service of the province of Cartago (Jasec)
The Ministry of Science, Innovation
Technology and Telecommunications
The Ministry of Labor and Social Security (MTSS)
The National Meteorological Institute (IMN)
Radiographic Costarricense (Racsa)
The Interuniversity Headquarters of Alajuela
The Social Development and Family Allowances Fund (FODESAF)
Costa Rican Social Security Fund (CCSS).

All of these agencies have had their operations impacted in some way.

Impact Of The Breach

BleepingComputer reports that as of May 9th, Conti has leaked over 97% of a 672GB data dump which allegedly contains information stolen from the government agencies. Conti has the capability to make and exfiltrate copies of any data that is encrypted, which can turn a ransom campaign into an extortion attempt even after the encrypted files are restored.

How To Protect Yourself Against Ransomware Attacks

To protect yourself from ransomware PurpleSec recommends:

Read How To Prevent Ransomware Attacks: An Expert Guide
Implement PurpleSec’s Cyber Security Maturity Model for Business
Hire a cybersecurity company to conduct a penetration test to understand your attack surface
Invest in and build a vulnerability management program

Wrapping Up

Conti is just one example of ransomware. There are many other well-known variants and new ones are being created all the time.

It is important to take ransomware seriously at your business.

The full extent of the continuing attack, the leak, and its impact on the citizens of Costa Rica has yet to be determined.

The declaration of national emergency has given the government of Costa Rica some national powers to help defend itself from the attack and recover from any damages.

In a separate but related announcement last week, the U.S Department of State is offering $10 million for information that identifies and locates anyone related to Conti, with an additional $5 million bounty for information leading to the arrest of those directly responsible for creating and delivering Conti attacks.

Article by

Jason Firch, MBA

Jason is a proven marketing leader, veteran IT operations manager, and cybersecurity expert with over a decade of experience. He is the founder and CEO of PurpleSec.

Jason Firch, MBA

Jason is a proven marketing leader, veteran IT operations manager, and cybersecurity expert with over a decade of experience. He is the founder and CEO of PurpleSec.

Share This Article

Our Editorial Process

Our content goes through a rigorous approval process which is reviewed by cybersecurity experts – ensuring the quality and accuracy of information published.