SAN JOSE, Costa Rica — Nearly a week into a ransomware attack that has crippled Costa Rican government computer systems, the country refused to pay a ransom as it struggled to implement workarounds and braced itself as hackers began publishing stolen information.
Although the Russian-speaking Conti gang took responsibility for the attack in Costa Rica, the Costa Rican government has not yet confirmed the origin of the incident.
Monday’s problems were first reported by the Finance Ministry. Numerous of the Finance Ministry’s systems were affected, from tax collection through importation and exportation processing through the customs agent. Attacks on the social security agency’s human resources system and on the Labor Ministry, as well as others followed.
The initial attack forced the Finance Ministry to shut down for several hours the system responsible for the payment of a good part of the country’s public employees, which also handles government pension payments. They also have to give extensions for tax payments.
Conti had not published a specific ransom amount, but Costa Rica President Carlos Alvarado said, “The Costa Rican state will not pay anything to these cybercriminals.” A figure of $10 million circulated on social media platforms, but did not appear on Conti’s site.
Costa Rican business owners worried about confidential information that was provided to the government and could be used against them. However, average Costa Rican citizens are concerned that their financial data could be used for fraudulent purposes.
Continue reading: Our Government’s Approach to Cybersecurity Is a Costly Mess. Here’s What Would Fix the Problem
Christian Rucavado, executive director of Costa Rica’s Exporters Chamber, said the attack on the customs agency had collapsed the country’s import and export logistics. He described a race against the clock for perishable items waiting in cold storage and said they still didn’t have an estimate for the economic losses. The trade was still going, but it was much slower.
“Some borders have delays because they’re doing the process manually,” Rucavado said. “We have asked the government for various actions like expanding hours so they can attend to exports and imports.”
His explanation was that Costa Rica usually exports products worth $38 million per day.
Allan Liska, an intelligence analyst with security firm Recorded Future, said that Conti was pursuing a double extortion: encrypting government files to freeze agencies’ ability to function and posting stolen files to the group’s extortion sites on the dark web if a ransom wasn’t paid.
This first problem can usually be solved if backups are available. The second, however, is harder depending on the sensitive nature of the stolen data.
Conti typically rents out its ransomware infrastructure to “affiliates” who pay for the service. Liska stated that the affiliate that attacked Costa Rica could come from anywhere, Liska added.
A year ago, a Conti ransomware attack forced Ireland’s health system to shut down its information technology system, cancelling appointments, treatments and surgeries.
Last month, Conti pledged its services in support of Russia’s invasion of Ukraine. This move upset cybercriminals that sympathize to Ukraine. A security researcher, who has been monitoring Conti for a long time, was compelled to release a huge cache of communications between some Conti workers.
Asked why Central America’s most stable democracy, known for its tropical wildlife and beaches, would be a target of hackers, Liska said the motivation usually has more to do with weaknesses. “They’re looking for specific vulnerabilities,” he said. “So the most likely explanation is that Costa Rica had a number of vulnerabilities and one of the ransomware actors discovered these vulnerabilities and was able to exploit it.”
Brett Callow, a ransomware analyst at Emsisoft, said he looked at one of the leaked files from the Costa Rican finance ministry and “there doesn’t seem to be much doubt that the data is legit.”
On Friday, Conti’s extortion site indicated it had published 50% of the stolen data. It said it included more than 850 gigabytes of material from Finance Ministry and other institutions’ databases. “This is all ideal for phishing, we wish our colleagues from Costa Rica good luck in monetizing this data,” it said.
That seemed to contradict Alvarado’s assertion that the attack was not about money.
“My opinion is that this attack is not a money issue, but rather looks to threaten the country’s stability in a transition point,” he said, referring to his outgoing administration and the swearing in of Costa Rica’s new president May 8. “They will not achieve it.”
Alvarado did allude to the possibility that the attack was motivated by Costa Rica’s public rejection of Russia’s invasion of Ukraine. “You also can’t separate it from the complex global geopolitical situation in a digitalized world,” he said.
This report was contributed by Frank Bajak, an AP journalist from Boston. Sherman was based in Mexico City.
Read More From Time