Agencies of the Costa Rican government have been hit so badly by the Conti ransomware that the incoming president immediately declared a state of emergency, giving the country expanded law enforcement powers to go after the criminals. The US has also stepped in to support its ally, offering millions of dollars in bounties to anyone who can point the way to a Conti organizer.
National emergency for Costa Rican government, reward pool offered for assistance
The bounties offered for information about the Conti ransomware gang come from the US State Department, which is making a total of $15 million available. $10 million is set aside for identification of group leaders, and $5 million is up for information leading to the arrest of anyone involved with a Conti ransomware attack.
Ransomware has been out of control for years now, and there are no signs that criminal gangs are slowing down in spite of enhanced law enforcement efforts to track down the groups that create the biggest problems for national governments. Core members of one group often escape these campaigns, emerging months later as part of some new group. Large bounties are quickly becoming a regular part of the toolbox used to identify these individuals and incarcerate them.
The Conti ransomware group is a prime example of what happens when group leaders are not apprehended. The gang has been increasingly brazen in intentionally causing real world harm with its target selection, going after the likes of critical infrastructure companies and the health care field. The internal structure is highly organized, to the point of reflecting the structure of a legitimate corporation, and often disperses its work among remote contractors that are handling pieces of attacks that are so small they cannot be sure they are involved in an attack. It is thus unsurprising that a Conti affiliate is willing to go far enough to cause a national emergency to be declared.
Devastating Conti ransomware attack on Costa Rican government agencies causes serious financial issues
The chain of attacks on Costa Rican government agencies began on April 17, quickly turning into a true national emergency. Conti ransomware made its way onto the servers of the finance and labor ministries as well as the organization that handles the country’s Social Security program and family welfare programs. Some online functions of the Treasury, such as tax payments, were also impacted by Conti ransomware.
Conti operates on an affiliate model, and this particular affiliate (“unc1756”) is also suspected in other attacks on government servers including a theft of intelligence materials from Peru. The attacker has already leaked information stolen from Costa Rica to the Conti ransomware dark web portal after the former president of the country refused to pay its $10 million ransom demand. The leaked data reportedly contains stolen databases and source code.
The focus on national government agencies might immediately raise suspicions of espionage, but Conti ransomware affiliates have become famous for quickly exploiting new vulnerabilities as they are published and being indiscriminate in who they attack. The perpetrator behind Costa Rica’s national emergency is at least as likely to be a basic criminal outfit as it is a state-backed threat actor.