Costa Rican President Rodrigo Chaves declared a State of National Cyber-Security Emergency last weekend following a financially motivated Conti ransomware attack against his administration that has harassed the govt. & economy of the Latin American country.
The threat player has leaked data that it says was stolen in the breach & is threatening more govt.-targeted attacks.
Ministry of Finance
This attack, attributed to the prolific Conti ransomware group–occurred 3 weeks ago shortly after Chaves assumed office – the State of Emergency was one of his 1st decrees as President. The 1st govt. agency attacked was the Ministry of Finance, which has been without digital services since April 18, according to a published report.
Other Costa Rican agencies affected include the Ministry of Labour & Social Security; the Ministry of Science, Innovation, Technology & Telecommunications; the National Meteorological Institute, among others. Currently, the entire scope of the damage is not known.
Ransom of $10m
Conti reportedly demanded a ransom of $10m from Costa Rica’s govt. in exchange for not releasing stolen information from the Ministry of Finance, according to a published report.
Costa Rica, so far, has declined to pay, which resulted in Conti updating its data-leak site on Mon. with 97% of the 672Gb of data that the group claims contains information stolen from Costa Rican govt. agencies, Bleeping Computer reported.
Russian-Speaking
Conti—a top-tier Russian-speaking ransomware group–is known as one of the most ruthless cyber gangs, with a ‘take-no-prisoners approach’ specialising in double extortion, a method in which attackers threaten to expose stolen data or use it for future attacks if victims don’t pay by a deadline.
Conti acts on a ransomware-as-a-service (RaaS) model, with a large network of affiliates & access brokers at its disposal to do its bidding. The group also is known to target organisations where attacks could have life-threatening consequences, e.g. hospitals, emergency number dispatch carriers, emergency medical services & law-enforcement agencies.
‘Demo Version’
The attack on Costa Rica could be a sign of more Conti activity to come, as the group posted a message on their news site to the Costa Rican govt. that the attack is merely a “demo version.”
The group also alleged that the attack was solely motivated by financial gain as well as expressed general political disgust, another sign of more govt.-directed attacks.
Next-Level Incident
The incident demonstrates how a cyber-attack can potentially be as serious as a military action or a natural disaster especially when it affects a developing nation like Costa Rica, a security professional observed.
“Costa Rica’s State-of-Emergency following an attack from Conti is an important rallying call to the rest of the world,” Silas Cutler, Principal Reverse Engineer for security firm Stairwell, wrote. “While the emergency status may have a limited direct impact … it puts the severity of this breach into the same category as a natural disaster or military incident.”
Double-Extortion
The double-extortion aspect of not only Conti’s but also a number of other ransomware group’s methods also can embolden more ransomware attacks because most targeted organisations will pay rather than risk the leak of sensitive data—providing more incentive to threat players, noted another security professional.
“It is a large reason why most victims are paying today,” observed Roger Grimes, Data-Driven Defence Evangelist for security firm KnowBe4.
Conti likely has every employee’s personal login credentials to any Costa Rican govt. site that they visited during the time the ransomware was active on the system before it locked files, which poses a big problem for citizens using govt. services online if Conti indeed has leaked the info, he explained.
Compromised Domains
“If Costa Rica was hosting customer-facing websites in the compromised domains, like they likely were, their customers’ credentials–which are often reused on other sites & services the customers visit–are likely compromised, too,” Grimes stated.
“Not paying the ransom puts not only Costa Rica’s own services at risk, but those of their employees & customers.”
Last year the US City of Tulsa, OK, was on alert for potential cyber fraud after Conti leaked some 18,000 city files, mostly police citations, on the dark web following a ransomware attack on the city’s govt.
US Offering Aid
To help stop future attacks like this one, the US govt. revealed last week that it’s offering a large reward, up to $10m for information leading to the identification and/or location of any of Conti Group’s leaders.
The US also will offer up to $5m for information that can lead to the arrest or conviction of anyone conspiring in a Conti ransomware attack.
So far, Conti has been responsible for 100s of ransomware incidents over the past 2 years, with over 1,000 victims paying more than $150m to the group, according to the FBI. This gives Conti the doubtful honour of being the costliest ransomware strain ever documented, according to the US Feds.
Cultural Change
While authorities hunt Conti, govts. can take a number of steps to prevent ransomware attacks, security professionals noted. One is to adopt a cultural change when it comes to cyber-security, observed Chris Clements, VP of Solutions Architecture at security firm Cerberus Sentinel.
Govts. should change their focus from the historic mentality of cyber-security as an “IT cost centre” toward one that views it as “a culturally ingrained approach that identifies cyber-security investment, both in tools & people, as a critical strategic defensive shield,’ he outlined.
“Until this changes, the problem of cyber-attack is going to get worse before it gets any better,” Clements observed.
Perimeter Reviews
Govts. also can take steps such as conducting ‘perimeter reviews’ as a means of mitigating some of the methods Conti-affiliated access brokers use to infiltrate systems, Cutler suggested. This can better secure their perimeters & allow them to react faster to attacks.
Even this “will not fully prevent these types of attacks” given the network of affiliates & access brokers that RaaS groups like Conti have available to breach systems, he concluded.