Russia-Linked Conti Group Creates National Emergency for Costa Rica

The threat group behind Conti ransomware is causing a national crisis in Costa Rica, where government agencies are being hammered by relentless cyberattacks. These attacks, which have been ongoing since April, have severely affected the Ministry of Finance, the Costa Rican Social Security Fund, the Ministry of Science, Innovation, Technology, and Telecommunications, and other government institutions. The Costa Rican Treasury reports their digital services are shut down, massively disrupting work related to electronic signatures and certain government procedures. The Ministry of Finance, hit particularly hard by the threat group, is still determining the extent of the damage incurred by their cyberattacks.

Conti’s threat actors demanded US$10 million in ransom from the Ministry of Finance, but the agency refused to pay. The threat group quickly retaliated by publishing several hundred gigabytes of stolen government data to their leak site. This data dump was followed by the group promising to wage attacks of “a more serious form.” The situation has become so dire that Costa Rican President, Rodrigo Chaves, declared a national state of emergency in response to the attacks.

The Conti threat actors are claiming sole responsibility for these attacks, with the apparent desire to separate them from any nation-state backed activity. However, these claims must be taken with a healthy dash of skepticism. Definitively attributing cyberattacks to specific actors is notoriously difficult, and cybercriminals have little incentive to speak honestly about their operations. Threat groups go through extreme efforts to obfuscate, misdirect, and mislead those seeking attributions for attacks, and claims published online simply provide another avenue for potential public misdirection.

In fact, Conti may have ulterior motives for claiming sole credit for the attacks in Costa Rica. The threat group is widely reported to be based in Russia. When Russia began its invasion of Ukraine, Conti publicly announced full support for the Russian government. They further threatened to attack the critical infrastructure of anyone launching cyberattacks against Russia. These statements led to the group’s internal chat logs being leaked by a Ukrainian security researcher on Feb. 27, 2022. Since then, Conti has publicly condemned “the ongoing war,” but this change of heart seems suspect, given the events that preceded it.  

Looking at the larger picture, the attacks against Costa Rica fit into a larger trend showing that Conti threat group activity is on the rise. The group’s website shows it is attacking more targets every month, on average, than during the previous year. This operational growth comes a few weeks after the group suffered the data leak and shut down its command-and-control (C2) infrastructure. Some analysts believed the leak would prove a fatal blow to the group, but Conti has proven to be a resilient foe.

In addition to attacking more targets, the group’s possible connections to Emotet and Black Basta suggest Conti’s influence may be growing. In the meantime, these developments have not escaped the notice of the United States government. The U.S. Department of State is offering $10 million for information leading to the identification of the group’s key leaders. There is an additional $5 million reward for information leading to the capture or arrest of Conti members.

Understanding the Conti Threat

Conti first came to public attention as a threat group in mid-2020. They quickly made a name for themselves by launching a series of unusually successful attacks targeting multiple industries across the globe. The group uses a double extortion tactic as a standard feature of their ransomware attacks. This method entails exfiltrating a victim’s data before encrypting it on their local hard drives and backups, then threatening to publicly release the data on their leak site if the ransom is not paid. The BlackBerry Research & Intelligence Team published a deep dive into the group’s history, activities, and processes in their recent blog, Conti Ransoms Over 400 Organizations Worldwide. Conti ransomware was also mentioned in a recent BlackBerry Threat Research post titled Ruthlessness, Scale, and Sophistication: How Cyber Crime Evolved in 2021.

Recovering from a ransomware attack is, at best, an expensive and time-consuming process. In the worst-case scenario, data is permanently lost (or leaked to a place where a competitor may view proprietary information), an organization’s reputation is irreparably damaged, and people lose their jobs. If there is no backup in place, an organization may permanently go under.

Fortunately, there are solutions available that can identify and prevent ransomware attacks before they occur. Artificial intelligence (AI) has proven over the years to be particularly effective against file-based threats like ransomware, especially products that are based on more mature AI, whose math models and algorithms have evolved over the years with exposure to substantially more data than earlier generations of AI. Mature AI detects threats with extraordinary accuracy, and prevents them from causing harm. (If that sounds like a fantastic claim, take a moment to view this video of Cylance AI stopping Conti its tracks).

Artificial Intelligence is just one of many advanced technologies an organization can use to protect itself from threat groups. To learn more about effective ways to prevent ransomware attacks, visit the BlackBerry Ransomware Prevention and Remediation site. For more information on combating all forms of cyberattacks, visit BlackBerry.com.