Conti Ransomware Gang Threatens to Overthrow Costa Rican Government
Rodrigo Chaves, Costa Rica’s new President who just took office on May 8th declared a national emergency only hours after being sworn in. The emergency was prompted by a ransomware attack that began weeks earlier on April 12th that has scaled out since then. “We are at war”, said Chavez, “and that’s not an exaggeration.” With 27 governmental organizations impacted by the attack, the severity of the cyberattack is like that of a natural disaster or military incident. The culprit of the attack is the Russian-based Conti Ransomware gang that operates one of the most well-known and ruthless ransomware-as-a-service (RaaS) organizations in the world. A recent HALOCK Breach Bulletin reviewed their attacks on Shutterfly and Snap-On. Conti recently doubled their initial ransom of $10 million to $20 million and has now declared that its end goal is to overthrow the Costa Rican government. While cybersecurity experts don’t believe that is Conti’s intention, there is an air of desperation setting in for both sides as the attack has been going on for more than a month. While it is believed that the timing of the attack was chosen to take advantage of the country’s regime change, the attack has also coincided with the country’s tax collection period, denying citizens the ability to complete their tax returns online. The attack has also disrupted foreign trade and customs operations.
|IDENTIFY INDICATORS OF COMPROMISE (IOC)|
The hackers initially infiltrated the network of the Finance Ministry on April 12th. Servers used for email, web hosting and application systems were all encrypted. Since April 18th the Treasury has been without digital service and has been completely reliant on performing all processes by hand. The hackers then expanded their attack to other departments including the Labor and Social Security Ministry and Ministry of Science, Technology and Telecommunications. The attack has also spread to other areas of the country including the electric company of a city of 160,000 people and encrypted its administrative systems. The electric company has suspended bill paying operations until the situation is resolved. The Conti group also stole an estimated 670 GB of files during the attack and has leaked 97% of it over time since the attack began. They claim to have two accomplices that are government insiders helping them, referring to one of them as UNC1756. Chavez confirmed the belief of his administration that some portions of the attack are from within.
|CONTAINMENT (If IoCs are identified)|
It is not known what steps the Costa Rican government has taken to thwart the attack. While they have hired data remediation specialists, there has been no word on what progress if any has been achieved. The U.S. State Department is offering a $10 million reward for information leading to the identification or location of the Conti organization.
By now the internal network team should have been able to restore at least some of the encrypted data repositories to a productive state. Unfortunately, remediation isn’t possible until the network has been cleansed of the malware infection and unauthorized external access has been clipped. If the malware remains present, remediation efforts are useless as the attackers can simply encrypt the restored data. Often this requires shutting down all infected systems and cleaning one server at a time. This is when bringing in an experienced cybersecurity team can pay big dividends. Of course, data restoration is only possible if your backup system is protected as well. Best cybersecurity practices for securing backups include segmenting your backup system from the production network using a next generation firewall appliance, air gapping all backups and using local admin accounts for your backup server rather than active directory accounts.
Organizations should have an incident response plan (IRP) in place for your data in the event of an attack. This is an essential part of your security controls, especially in the eyes of cyber insurance companies. A part of your strategy should be to have a current data inventory of your sensitive data to monitor activity as well as having a backup of this valuable information in the event of ransomware. Assess your risk profile and cyberattack readiness.