SAN JOSE, Costa Rica (AP) – Nearly a week after a ransomware attack crippled Costa Rican government computer systems, the country refused to pay a ransom as it struggled to implement workarounds and prepared as hackers began leaking stolen information.
The Russian-speaking Conti group claimed responsibility for the attack, but the Costa Rican government has not confirmed its origin.
The finance ministry first reported problems Monday. Many of its systems have been affected, from tax collection to import and export processes through the customs service. Attacks followed on the Human Resources Agency’s human resources system and the Ministry of Labor, as well as others.
The initial attack forced the Ministry of Finance to shut down the system responsible for the payment of a good part of civil servants, which also deals with the payment of state pensions, for a few hours. He also had to approve tax extensions.
Conti did not announce a specific ransom, but Costa Rican President Carlos Alvarado said: “The Costa Rican state will not pay anything to these cybercriminals.” The $ 10 million figure circulated on social media platforms, but did not appear on Conti’s page.
Costa Rican companies are concerned about confidential information given to the government that could be published and used against them, while average citizens are worried that personal financial data could be used to clean their bank accounts.
Allan Liska, an intelligence analyst at security firm Recorded Future, said Conti follows a double extortion: encrypting government files to freeze the agencies’ ability to function and posting stolen files to the blackmail group’s website if the ransom was not paid.
The first part can often be overcome if the systems have good backups, but the second is more complex depending on the sensitivity of the stolen data, he said.
Conti usually leases its ransomware infrastructure to “collaborators” who pay for the service. The branch attacking Costa Rica could be anywhere in the world, Liska said.
A year ago, a ransomware attack by Conti forced Ireland’s healthcare system to shut down its information technology system, canceling appointments, treatments and surgeries.
Last month, Conti pledged his services in support of Russia’s invasion of Ukraine. The move infuriated cyber criminals who favored Ukraine. It has also led a security researcher who has long monitored Conti to leak a huge amount of internal communications among some Conti operators.
Asked why the most stable democracy in Central America, known for its tropical wilderness and beaches, would be the target of hackers, Liska said that motivation usually has more to do with weaknesses. “They are looking for specific vulnerabilities,” he said. “So the most likely explanation is that Costa Rica had a number of vulnerabilities and that one of the ransomware actors discovered those vulnerabilities and was able to exploit them.”
Brett Callow, a ransomware analyst at Emsisoft, said he looked at one of the files leaked from the Costa Rican Treasury Department and “there doesn’t seem to be much doubt that the data is legitimate.”
On Friday, Conti’s extortion page said it had released 50% of the stolen data. It is said to include more than 850 gigabytes of material from the databases of the Ministry of Finance and other institutions. “This is all ideal for phishing, we wish our colleagues from Costa Rica good luck in monetizing this data,” it is stated.
This seemed to contradict Alvarad’s claim that the attack was not for money.
“My opinion is that this attack is not a question of money, but of threatening the country’s stability at the transition point,” he said, referring to his outgoing administration and the swearing-in of the new president of Costa Rica on May 8. “They will not achieve.”
Alvarado alluded to the possibility that the attack was motivated by the public rejection of Costa Rica’s Russian invasion of Ukraine. “You also can’t separate that from the complex global geopolitical situation in the digital world,” he said.
__
AP writer Frank Bajak of Boston contributed to this report. Sherman reported from Mexico City.
Copyright 2022. The Associated Press. All rights reserved. This material may not be published, broadcast, transcribed or distributed without permission.
Comments are closed.