The threat group behind Conti ransomware is causing a national crisis in Costa Rica, where government agencies are being hammered by relentless cyberattacks. These attacks, which have been ongoing since April, have severely affected the Ministry of Finance, the Costa Rican Social Security Fund, the Ministry of Science, Innovation, Technology, and Telecommunications, and other government institutions. The Costa Rican Treasury reports their digital services are shut down, massively disrupting work related to electronic signatures and certain government procedures. The Ministry of Finance, hit particularly hard by the threat group, is still determining the extent of the damage incurred by their cyberattacks.
Conti’s threat actors demanded US$10 million in ransom from the Ministry of Finance, but the agency refused to pay. The threat group quickly retaliated by publishing several hundred gigabytes of stolen government data to their leak site. This data dump was followed by the group promising to wage attacks of “a more serious form.” The situation has become so dire that Costa Rican President, Rodrigo Chaves, declared a national state of emergency in response to the attacks.
The Conti threat actors are claiming sole responsibility for these attacks, with the apparent desire to separate them from any nation-state backed activity. However, these claims must be taken with a healthy dash of skepticism. Definitively attributing cyberattacks to specific actors is notoriously difficult, and cybercriminals have little incentive to speak honestly about their operations. Threat groups go through extreme efforts to obfuscate, misdirect, and mislead those seeking attributions for attacks, and claims published online simply provide another avenue for potential public misdirection.
In fact, Conti may have ulterior motives for claiming sole credit for the attacks in Costa Rica. The threat group is widely reported to be based in Russia. When Russia began its invasion of Ukraine, Conti publicly announced full support for the Russian government. They further threatened to attack the critical infrastructure of anyone launching cyberattacks against Russia. These statements led to the group’s internal chat logs being leaked by a Ukrainian security researcher on Feb. 27, 2022. Since then, Conti has publicly condemned “the ongoing war,” but this change of heart seems suspect, given the events that preceded it.
Looking at the larger picture, the attacks against Costa Rica fit into a larger trend showing that Conti threat group activity is on the rise. The group’s website shows it is attacking more targets every month, on average, than during the previous year. This operational growth comes a few weeks after the group suffered the data leak and shut down its command-and-control (C2) infrastructure. Some analysts believed the leak would prove a fatal blow to the group, but Conti has proven to be a resilient foe.
In addition to attacking more targets, the group’s possible connections to Emotet and Black Basta suggest Conti’s influence may be growing. In the meantime, these developments have not escaped the notice of the United States government. The U.S. Department of State is offering $10 million for information leading to the identification of the group’s key leaders. There is an additional $5 million reward for information leading to the capture or arrest of Conti members.