For the last time Costa Rica has been under siege for two months. Two major ransomware attacks have crippled many of the country’s essential services, plunging the government into chaos as it struggles to respond. Officials say international trade has ground to a halt as the ransomware took hold and more than 30,000 medical appointments have been rescheduled, while tax payments have also been disrupted. Millions were lost due to the attacks, and employees at affected organizations turned to pen and paper to get things done.
Costa Rica’s government, which changed hands amid post-election attacks earlier this year, declared a “national state of emergency” in response to the ransomware — marking the first time a country has done so in response to a cyber attack. Twenty-seven government agencies were targeted in the first attacks, which lasted from mid-April to early May, according to new President Rodrigo Chavez. The second attack, in late May, sent Costa Rica’s health care system into a tailspin. Chavez has declared “war” on those responsible.
At the heart of the hack is Conti, the notorious Russian-linked ransomware gang. Conti claimed responsibility for the first attack on the Costa Rican government and is believed to have some ties to the HIVE-like ransomware operation that was responsible for the second attack affecting the healthcare system. Last year, Conti extorted more than $180 million from his victims and has a history of targeting healthcare organizations. In February, however, thousands of the group’s internal messages and files were released online after it backed Russia’s war on Ukraine.
Even among Conti’s long list of more than 1,000 ransomware attacks, the ones against Costa Rica stand out. They mark one of the first times a ransomware group has explicitly targeted a national government, and during the process Conti unusually called for the Costa Rican government to be overthrown. “This is probably the most significant ransomware incident to date,” says Emsisoft threat analyst Brett Callow. “I can’t recall another instance where an entire federal government has been held to ransom like this—this is a first; it’s pretty unprecedented.”
What’s more, researchers suggest that Conti’s brazen actions may simply be a callous display undertaken to draw attention to the group as it sheds its toxic brand and its members move on to other ransomware attempts.
“State of National Emergency”
The first ransomware attack against the Costa Rican government began the week of April 10. Throughout the week, Conti probed the systems of the Ministry of Finance, known as the Ministerio de Hacienda, explained Jorge Mora, former director of the Ministry of Science, Innovation, Technology and Telecommunications (MICIT), which helped respond to the attacks. By the early hours of April 18, files at the finance ministry were encrypted and two key systems were crippled: the digital tax office and the customs control IT system.
“They affect all export/import services in the country of the products,” said Mora, who left the government on May 7 before the change of administration. Mario Robles, CEO and founder of Costa Rican cybersecurity company White Jaguars, estimated that “several terabytes” of data and more than 800 servers at the Ministry of Finance were affected. Robles says his company was involved in the response to the attacks, but says he could not say who it worked with. (The Treasury Department did not respond to WIRED’s request for comment.)
“The private sector was very affected,” says Mora. Local reports say import and export firms have faced a shortage of shipping containers, and estimated losses range from $38 million a day to $125 million in 48 hours. “The outage paralyzed the country’s imports and exports, greatly impacting trade,” said Joey Milgram, Costa Rica manager at cybersecurity company Soluciones Seguras. “After 10 days, they implemented a manual import form, but it takes a lot of paperwork and a lot of days to process,” adds Milgram.
