Jorge Mora, Costa Rica’s digital governance chief, received a message in April from one of his officials: “We couldn’t contain it and they’ve encrypted the servers. We’ve disconnected the entire ministry.”
He was being updated on a harrowing cyber-assault by a notorious Russian ransomware group called Conti, which started at the Central American country’s ministry of finance and eventually ensnared 27 different ministries in a series of interlinked attacks that unfurled over weeks.
The attack was “impressive in its scope”, according to one western official. Usually, hackers manage to gain access to single systems but Costa Rica’s case highlights the risk posed by weak cyber security to a nation’s entire IT infrastructure. In Costa Rica, Conti had spent weeks, if not months, of tunnelling around in its government systems, leaping from one ministry to the other.
Conti offered to return the data: at a price of up to $20mn. But Costa Rica’s government refused to pay the ransom. Instead, newly installed President Rodrigo Chaves declared a national emergency, launched a hunt for alleged “traitors” and leaned on tech savvier allies such as the US and Spain to come to its aid.
“We are at war, and that is not an exaggeration,” Chaves said in the days after his inauguration in mid-May, blaming the prior administration for hiding the true extent of the disruption, which he compared to terrorism.
The stand-off left parts of Costa Rica’s digital infrastructure crippled for months, paralysing online tax collection, disrupting public healthcare and the pay of some public sector workers.
In the meantime, Costa Rica’s shadowy tormentors were themselves a spent force, victims of geopolitical rivalries in the hacking world that had been inflamed by the war in Ukraine. After declaring its support for the Russian invasion on Feb 24, the group was betrayed by one of its insiders, purportedly a Ukrainian hacker-for-hire, who leaked their toolkits, internal chats and other secrets online in retaliation.
While Costa Rica continues to deal with the consequences of the cyber attack, much of Conti had melted away after the leak, according to Toby Lewis, head of threat analysis at Darktrace, a cyber security firm.
“In the beginning of 2022, we were set for another year for a group like Conti in their hey day, making quite significant sums of money,” Lewis said. “When Russia invaded Ukraine, that all ended. Backing Russia, was in business terms, the worst decision they could have ever made.”
Conti’s most impactful attack turned out to be its last. By the end of June, Conti’s public-facing website, where it had taunted Costa Rica and other victims, was shut down, and so was its dark-web negotiations site, security researchers said.
As the attacks unfolded, Mora said his team slept barely four hours a night for nearly a month to slow the hackers’ progress through other ministries. Spain sent over its own ransomware protection software MicroClaudia, which was developed by its National Cryptologic Centre.
The US sent over teams to assist, with donated software and expertise from Microsoft, IBM and Cisco, and the US state department offered a bounty up to $15mn to bring Conti or its supporters to justice.
Rejecting Chaves’ criticism, Mora said that without their pace of work and co-operation after the attack, “we would have had 50 cases like the finance ministry”.
But Costa Rica’s efforts to regain control of their IT systems came alongside Conti’s demise, further complicating their efforts. One western official who has been briefed on the investigations, said that even if Chaves had agreed to pay the ransom, which varied from $20mn to as low as $1mn, it’s “not clear who was on the other end of the line. By June, nobody was answering the phone, figuratively speaking.”
“Conti in Costa Rica was somewhat of a desperate last try to gain any sort of title, some buzz around their actions,” said Shmuel Gihon, a security researcher at Israel-based Cyberint.
Once estimated at some 400 hackers plus an unknown number of affiliates who were renting their toolkit — who in 2021 had yielded the Russian hacking affiliate hundreds of millions of dollars in cryptocurrency from at least 600 targets — Conti was soon down to a few dozen just weeks after the Costa Rica attack.
But there are signs it is regrouping in different guises. This includes a group called BlackBasta, which within months of emerging has hit 50 organisations. Security researchers say the speed of its attacks suggest deserters from Conti had taken their knowledge of their victim’s IT infrastructure with them to BlackBasta.
Meanwhile, Costa Rica continues to grapple with the consequences of the April hack. As in all successful ransomware attacks, there is no way to decrypt its own data without a key from its attackers — most systems have to be rebuilt from scratch, with backups scoured to make sure they do not include the original malware. That process can take months, if not a year or two.
Until recently, the country’s customs systems had to resort to using paper and email, slowing down the entire process, said Monica Segnini, president of Grupo Desacarga, a company that provides import and export services.
“It means you pay more for containers that have to sit for days on patios that hadn’t been used in years,” she said, adding that the company was paying its corporate taxes voluntarily but there were no controls. “We’re operating in a grey area.”
A senior government official said many of the finance ministry’s systems have now been restored, including customs and salaries.
For Costa Ricans such as Alejandra, 65, who suffers from impaired mental ability, medical treatment is being delayed, her husband said in an interview. Doctors cannot access her prior MRI, and now must wait until they have access it, he said.
Zulma Monge, a science teacher and academic co-ordinator at a technical college in a low-income district in the north-east of the city, is being paid 400,000 colons less than she is owed because the system cannot handle overtime.
She is using her savings to pay for her two children’s schooling and her own second degree costs. “This had never happened before,” she said, “In the [ministry] they aren’t giving us answers about when the money owed will be paid.”
The process of preventing further attacks has not been entirely smooth either, admitted Carlos Alvarado Briceño, the minister in charge of Science, Innovation, Technology and Telecommunications.
Another hacking group called Hive attacked the country’s social security services — the Spanish government’s defensive software had barely been deployed, with only 13 units of 20,000 installed.
“Obviously the president was worried, and he was very annoyed too . . . we already had at least some tools to be able to contain it and it didn’t happen,” Alvarado Briceño said. “Our country hadn’t in the past taken this topic as seriously as required. What is the lesson learned? Don’t skimp on having the necessary cyber security in all institutions.”