Previous
Conti Costa Rica
Ransomware Attack Explained
Learn how PurpleSec’s experts can protect your business against the latest cyber attacks.
Author: Josh Allen / Last Updated: 7/10/2022
Reviewed By: Dalibor Gašić, & Michael Swanagan, CISSP, CISA, CISM
View Our: Editorial Process
Table Of Contents
Summary Of The Attack
- Costa Rica was attacked by Conti in April 2022.
- After the initial ransom demands were rejected, several ministries and
agencies have since been attacked. - Over 600GB of data stolen from the attack has been leaked online.
- Costa Rica has declared a state of emergency as a result of the impact of the incident.
- The US Department of State is offering a $15 million bounty for the arrest
of those responsible for deploying Conti.
What Happened?
On May 8th, 2022 the President of Costa Rica Rodrigo Chaves declared a national emergency due to an ongoing Conti ransomware campaign against several Costa Rican government entities starting in April of this year.
Conti is a prolific ransomware-as-a-service operation that has been infecting and damaging systems since it was first observed in 2020.
Attributed to the threat group called WizardSpider by CrowdStrike in 2019.
The group is also known for TrickBot and the Ryuk ransomware distributed through the ZLoader botnet which we previously reported as shutdown by Microsoft.
Conti Contains New And Novel Techniques
Conti ransomware contains new and novel techniques that few other ransomware variants have exhibited so far.
Conti’s design makes it one of the fastest encrypting ransomware, able to run 32 simultaneous encryption threads, and it can be remotely controlled via command-line options.
Attackers are able to target and control what files are encrypted and in what order, allowing the malware to quickly encrypt important shared data without immediately making the local system unusable to users which could allow an enterprise time to act.
The attack on the nation of Costa Rica began with a Conti cyber attack at the Ministry of Finance on April 18th.
The Ministry is still evaluating the scope of the incident and has yet to determine what, if any, impact there may be on taxpayers’ information or payments.
The Ransom Demand
The ransom demanded was $10 million or else the group would continue to attack the nation’s Ministries.
Costa Rica’s government declined to pay the initial ransom.
Keeping good on their promise, WizardSpider continued its campaign and has so far infected:
- The Administrative Board of the Electrical Service of the province of Cartago (Jasec)
- The Ministry of Science, Innovation
- Technology and Telecommunications
- The Ministry of Labor and Social Security (MTSS)
- The National Meteorological Institute (IMN)
- Radiographic Costarricense (Racsa)
- The Interuniversity Headquarters of Alajuela
- The Social Development and Family Allowances Fund (FODESAF)
- Costa Rican Social Security Fund (CCSS).
All of these agencies have had their operations impacted in some way.
Impact Of The Breach
BleepingComputer reports that as of May 9th, Conti has leaked over 97% of a 672GB data dump which allegedly contains information stolen from the government agencies.
Conti has the capability to make and exfiltrate copies of any data that is encrypted, which can turn a ransom campaign into an extortion attempt even after the encrypted files are restored.
How PurpleSec Helps To Secure Your Organization
Our vulnerability management services and penetration testing services provide a holistic approach to securing what’s most important to you.
How To Protect Yourself Against Ransomware Attacks
To protect yourself from ransomware PurpleSec recommends:
- Read How To Prevent Ransomware Attacks: An Expert Guide
- Implement PurpleSec’s Cyber Security Maturity Model for Business
- Hire a cyber security company to conduct a penetration test to understand your attack surface
- Invest in and build a vulnerability management program
Wrapping Up
Conti is just one example of ransomware. There are many other well-known variants and new ones are being created all the time.
It is important to take ransomware seriously at your business.
The full extent of the continuing attack, the leak, and its impact on the citizens of Costa Rica has yet to be determined.
The declaration of national emergency has given the government of Costa Rica some national powers to help defend itself from the attack and recover from any damages.
In a separate but related announcement last week, the U.S Department of State is offering $10 million for information that identifies and locates anyone related to Conti, with an additional $5 million bounty for information leading to the arrest of those directly responsible for creating and delivering Conti attacks.
Related Articles:
Joshua Allen
Josh Allen is a diversely-skilled cyber security professional with 12 years of Department of Defense experience and specializing in internal network security.
Related Articles
- Top 10 Cyber Attacks In 2022
- Top 10 Vulnerabilities In 2022
- Rackspace Ransomware Attack
- Dropbox Suffers Data Breach
- Iranian APT Uses Log4j
- Google SEO Poisoning Campaign
- Killnet DDoS Target Airports
- Advocate Aurora Health Data Leak
- Microsoft 2.4 TB Data Leak
- Optus Exposes 2.1M Customers
- $570M Binance Coin Hack
- TikTok Denies Cyber Attack
- NATO Data Leak
- Uber’s Systems Compromised
- Cisco Cyber Attack
- Samsung Exposes PII
Popular Articles
Ransomware Attacks
Preventing Attacks
HEALTHCARE
GOVERNMENT
CRYPTO