Costa Rica in Crisis: Russian Ransomware Raises Its Head

^{(This Cyber Tactics column, “Costa Rica in Crisis: Russian Ransomware Raises Its Head,” written by John McClurg of BlackBerry, was originally published July 8, 2022, in Security Magazine. Excerpted with permission – access the full article here).}

Let’s take a look at the evolution and path of Conti ransomware.

Conti, the ruthless threat group behind hundreds of global ransomware attacks, has cast its dark shadow over sunny Costa Rica. The Central American republic is struggling to withstand a series of cyberattacks that have paralyzed state institutions. On May 11, 2022, Costa Rican President Rodrigo Chaves declared the attacks a national state of emergency. These cyberattacks not only damaged Costa Rica, but they pose a threat to global stability, as we’ll explore in the rest of this column.  

Conti Catches Fire

Before describing the larger significance of these cyberattacks on Costa Rica, it is important to share some key facts about the Conti group. Conti ransomware first appeared in 2020, catching researchers’ attention with its lightning-fast encryption capabilities. The ransomware masterfully uses multi-threading to achieve blazing-fast execution speeds. At first, Conti ransomware looked like a clever variation of other multi-threaded malware samples including REvil, LockBit , and Ryuk.

Within a year of its discovery, Conti compromised more than 400 organizations around the world.

Conti quickly proved they were not small-time players. They were organized like a business, performed target reconnaissance, and pressured victims to pay through double extortion. This tactic involves attackers stealing information from target systems before encryption occurs. They then demand ransom for a decryption key, while threatening to publicly release the stolen data if the victim does not comply. Compromised organizations find themselves facing catastrophic data loss, public humiliation, and the risk of violating privacy regulations like General Data Protection Regulation (GDPR) if they resist.

The effectiveness of Conti’s methods is indisputable. Leaked chat logs suggest the group took in more than $30 million USD in 2021. These gains came as ransomware attacks went up 105% and company information being posted to data leak sites increased by 935%. Conti’s techniques, tactics and procedures (TTPs) certainly seem to be highly effective. However, the group’s stellar rise and enormous successes have caused some researchers to question who exactly is behind Conti?

Dark Connections, Divided Loyalties

As I’ve discussed in other columns, attributing cyberattacks to specific actors is incredibly difficult. Attacks can be routed through several nations, including those that do not cooperate with investigations, making their initial source nearly indeterminable. If one threat actor wishes to look like another, they simply mimic the TTPs of whomever they seek to impersonate. Modern cyberattacks are often encrypted and obfuscated and they seek to use legitimate system resources to hide their activity. Simply put, attackers go through a great deal of trouble to hide from analysts and lead them down the wrong path when discovered.

That being said, it has been widely reported that Conti is a Russia-based group. This assessment received further credibility during the Russian invasion of Ukraine, when Conti threatened retaliation against anyone targeting Russia with conventional or cyberattacks. This statement caused internal dissent within the cybercrime community and ultimately led to Conti being compromised. Shortly after declaring their fealty to Russia, a Ukrainian security researcher released a year’s worth of internal chats from the Conti group. This was quickly followed by the release of the Conti ransomware source code.

Costa Rica Reflects a World in Crisis

This brings us to the present, where Conti is waging unrelenting cyberattacks against Costa Rican government agencies. In one interaction, the Conti group demanded $10 million USD from the Costa Rican government, only to be rebuffed. This refusal prompted the group to publish hundreds of gigabytes of stolen data to their leak site and to threaten “more serious” attacks.

The U.S. State Department has offered a $10 million reward for information that identifies Conti’s key leaders and an additional $5 million for information leading to their arrest or capture. Yet the real danger of these attacks far exceeds anything addressable by a simple bounty. Cyberattacks have long been treated by nations as a form of espionage — something that provokes retaliation without requiring greater escalation. However, as cyberattacks on infrastructure, agencies and economies wreak greater havoc on nations, this sentiment is changing.

Last July, U.S. President Joe Biden warned that a serious cyberattack could lead to a “real shooting war.” This may be why Conti made an explicit declaration claiming sole responsibility for the attacks in Costa Rica. Likewise, it might explain their rapidly amending declarations of initial support of the Russian invasion with a disclaimer that they “do not ally with any government and we condemn the ongoing war.”

As the effects of cyberattacks become more consequential, it seems inevitable that the responses to them will escalate in turn. Unfortunately, merely claiming them to be independent actions and disavowing national ties will mean little if deemed disingenuous and as acts of war.

Read the full article in Security Magazine.

Related Reading

About John McClurg

Sr. Vice President and CISO at BlackBerry.

John McClurg serves as Sr. Vice President and CISO at BlackBerry. McClurg engages the industry around the globe on the risk challenges today and how BlackBerry uniquely mitigates them with the application of machine learning and other AI supported solutions. He champions a move from a historically reactive security posture, to one focused on proactively predicting and mitigating future risks.

Before BlackBerry, McClurg served as the Ambassador-At-Large of Cylance and as Dell's CSO, where his responsibilities included the strategic focus and tactical operations of Dell’s internal global security service. He was also charged with the advocacy of business resilience and security prowess, the seamless integration of Dell’s security offerings, and with improving the effectiveness and efficiency of security initiatives.

Before Dell, McClurg served as the VP of Global Security at Honeywell International; Lucent/Bell Laboratories; and in the U.S. Intel Community, as a twice-decorated member of the FBI, where he held an assignment with the U.S. Dept of Energy (DOE) as a Branch Chief charged with establishing a Cyber-Counterintelligence program within the DOE’s newly created Office of Counterintelligence.

Prior to that, McClurg served as an FBI Supervisory Special Agent, assisting in the establishment of the FBI’s new Computer Investigations and Infrastructure Threat Assessment Center, or what is today known as the National Infrastructure Protection Center within the Dept of Homeland Security.

McClurg also served on assignment as a Deputy Branch Chief with the CIA, helping to establish the new Counterespionage Group, and was responsible for the management of complex counterespionage investigations. He additionally served as a Special Agent for the FBI in the Los Angeles Field Office, where he implemented plans to protect critical U.S. technologies targeted for unlawful acquisition by foreign powers and served on one of the nation’s first Joint Terrorism Task Forces.

Back