November 16, 2022 By Jonathan Reed 2 min read

In late April, after weeks of major ransomware attacks, Costa Rica declared a state of emergency. Newly-elected President Rodrigo Chaves took this measure, usually reserved to deal with natural disasters, to free up the government to react more decisively to the incident. The Russian-based Conti gang has claimed they launched the attack.

Meanwhile, the U.S. Department of State offered a $10 million reward for information that leads to finding anyone holding a key leadership role in the Conti gang. The U.S. also offered $5 million for “information leading to the arrest and/or conviction of any individual in any country conspiring to participate in or attempting to participate in a Conti variant ransomware incident.”

At war with the Conti gang

Chaves declared that his country was “at war” with the attackers. This may not be too far off. Reportedly, in a message posted to its darknet blog, Conti urged Costa Ricans to pressure their government to pay a $20 million ransom. In another post, Conti warned: “We are determined to overthrow the government by means of a cyberattack, we have already shown you all the strength and power.”

Beyond the digital attack, old-fashioned spying may also be at play. Chaves stated that actors within the country had also worked with Conti in the attack.

No ransom paid

The Costa Rica government refused to pay the ransom and has scrambled to get systems and services back online. The Costa Rican Treasury told civil servants that the attack had halted automatic payment services. Workers were warned the government was unable to pay them on time. Instead, they would need to apply for their salaries by email, or by hand on paper. The attack also affected the country’s foreign trade. It disrupted its tax and customs systems, which led to import and export logistics collapse.

Download the Definitive Guide to Ransomware

Why Costa Rica?

Many people have speculated about why the attackers targeted Costa Rica. Some believe it was due to the country siding with Ukraine in its war with Russia, said Security Week. Others think the motives are purely financial or related to Costa Rica’s recent presidential election. Meanwhile, other smaller countries worry that this could be the start of a trend.

Rather than target large nations, threat actors may begin to attack smaller countries. This may occur since small countries may not have as many resources to thwart an attack. Also, their capacity to retaliate may be limited compared to larger countries such as the United States or European nations.

Ransomware damage done

Ransomware analyst Brett Callow said he looked at some of the leaked files from the Costa Rican finance ministry and “there doesn’t seem to be much doubt that the data is legit.”

Conti’s extortion site indicated it had published 50% of the stolen Costa Rican government data,  including 850 gigabytes of material from the Finance Ministry and other institutions’ databases.

Learn about malware prevention

If you have questions and want a deeper discussion about the malware and prevention techniques, you can schedule a briefing here. Get the latest updates as more information develops on the IBM Security X-Force Exchange and the IBM PSIRT blog. If you are experiencing cybersecurity issues or an incident, contact X-Force to help: U.S. hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034. More cybersecurity threat resources are available here.

More from News

New memo reveals Biden’s cybersecurity priorities through fiscal year 2026

2 min read - On July 10, 2024, the White House released a new memo regarding the Biden administration’s cybersecurity investment priorities, initially proposed in July 2022. This new memorandum now marks the third time the Office of the National Cyber Director (ONCD), headed by Harry Coker, has released updated priorities and outlined procedures regarding the five core pillars of the National Cybersecurity Strategy Implementation Plan (NCSIP), now relevant through fiscal year 2026. Key highlights from the FY26 memorandum In the latest annual version…

Hackers are increasingly targeting auto dealers

3 min read - Update as of July 11, 2024 In late June, more than 15,000 car dealerships across North America were affected by a cyberattack on CDK Global, which provides software to car dealers. After two cyberattacks over two days, CDK shut down all systems, which caused delays for car buyers and disruptions for the dealerships. Many dealerships went back to manual processes, including handwriting up orders, so that sales could continue at a slower pace. Car buyers who recently bought a car from…

CISA director says banning ransomware payments is off the table

3 min read - The FBI, CISA and NSA all strongly advise against organizations making ransomware payments if they fall victim to ransomware attacks. If so, why not place a ban on paying ransomware demands? The topic came up at a recent Oxford Cyber Forum. Jen Easterly, Director of CISA, commented on the issue, saying, “I think within our system in the U.S. — just from a practical perspective — I don’t see it happening.” It’s unlikely this was a purely spontaneous remark as the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today