The spate of ransomware attacks on critical infrastructure companies in 2021 was seen as a major escalation by cyber criminal groups. The Conti ransomware gang appears to be attempting to skip several steps by threatening to overthrow the government of Costa Rica, having established a presence throughout its national agencies.
The threat is almost certainly hollow, but it showcases the boldness with which major ransomware groups are operating even after international law enforcement operations took out previous line-crossers REvil and DarkSide among others.
Conti ransomware group leverages unique situation in Costa Rica to make unprecedented threats
The incident began when the Conti ransomware infected servers throughout the Costa Rican government in mid-April, hitting the departments of finance and labor along with a variety of social services. The US State Department said that the attack had a “severe” impact on the country’s international trade, and has also crippled some domestic services.
Part of the severity of the disruption is due to it hitting in the midst of a change in presidential administrations. The attack first happened under the watch of former president Carlos Alvarado Quesada, who refused to pay the Conti ransomware group’s demand of $10 million. Incoming president Rodrigo Chaves and his administration stepped into the situation with stolen data from government agencies already being leaked to the Conti ransomware dark web portal in retaliation for the refusal.
The Conti ransomware gang has since increased its demand to $20 million, and added a threat to overthrow the government if it is not paid. It did not get into specifics about how this would actually play out, but did claim that it had “insiders” in the country and that it was working on gaining access to the remainder of the government’s systems.
For its part, the Chaves administration appears to be taking the threat seriously, saying that the country was “at war” with both internal and external forces in the incident. The administration suggested that the Conti ransomware gang might be collaborating with terrorist elements inside the country, though Costa Rica does not have a history of terrorist attacks and it is unclear who these parties might be.
The Chaves administration also indicated that the Conti ransomware problem has spread, impacting more government agencies and offices than previously revealed (27 total) including some local municipality governments and state-run utility companies. It also blamed the prior administration for failing to invest in cybersecurity and for not taking the incident more seriously during its final weeks in power.
While the Conti ransomware group’s threat to overthrow the government is extremely unlikely to materialize, the criminals did claim that they would delete the decryption keys if the $20 million ransom was not paid by May 21.
Raj Dodhiawala, president of Remediant, points out that this attack is a vital demonstration of the need to assume that a breach will happen at some point and secure internally against lateral movement: “Conti ransomware attacks that have afflicted Costa Rica are just the latest examples of why it’s critical to stop cyber attack techniques such as lateral movement. While Conti ransomware relies on stolen credentials, privilege escalation and lateral movement, these attacks cannot succeed without moving laterally across various systems. Once the attacker compromises a system, they move laterally to find and grab the ‘crown jewels’ and hold the organization at ransom. What’s frightening about this attack is that the attacker can simply keep expanding their credential abuse by virtue of remaining undetected on the network or by coming back in with stolen credentials … I cannot stress this enough: all organizations, vendors and government agencies that oversee critical infrastructure need to be on high alert and remove any unnecessary privileges across the systems by implementing the Zero Standing Privilege strategies, which is effective even in the midst of responding to the ransomware incident.”
Could cyber criminals overthrow a government?
Costa Rica seems a uniquely unlikely place for a ransomware attack to trigger a government overthrow; the country has been regarded as a very stable democracy for many years, last had a coup in 1917, and has no military with which a coup might be carried out.
The Conti ransomware gang is likely trying to drum up as much fear and pressure as possible by being grandiose in their statements, and is only concerned with getting the $20 million payout it has asked for. However, if the group is penetrating further into government systems and critical infrastructure controls, it could cause even more destruction than it has (with current damage largely limited to inability to issue or receive certain types of payments).
The US State Department has come to the aid of Costa Rica by offering a total of $15 million in bounties for the identification and arrest of leading members of the Conti ransomware group.
Conti has become one of the world’s largest cyber criminal enterprises as rivals like REvil and DarkSide have been scattered due to major law enforcement campaigns against them. The Conti ransomware was first seen in use in 2020 and is believed to have sprung from the same group that created the Ryuk ransomware, which rampaged through Windows systems around the world from 2018 to 2020 (and is still sometimes seen in the wild). Like Ryuk, Conti attacks all versions of Windows and the group behind it is highly structured and businesslike in its operations. In the past two years the Conti ransomware is thought to have racked up $150 million in payments for its operators, who run it on an affiliate model and are now the most damaging ransomware group in history in terms of financial loss caused.