It's not been plain sailing recently for Conti ransomware, the Ransomware as a Service (RaaS) group with several major attacks under its belt. In August last year, a pen tester leaked valuable manuals and documentsrelated to the operation. These leaks continuedas the Conti gang expressed support for the Russian Government in the midst of their invasion.
Elsewhere, researchers gained access to a ransomware server and the owners eventually pulled Conti's infrastructureoffline for two days. To top it off, an offshoot based on leaked source code is targeting Russian organisationswith this rather unambiguous message:
By now it's probably painfully apparent that your environment has been infected with ransomware. You can think Conti for that...your President should not have committed war crimes. If you're searching for someone to blame for your current situation look no further than Vladimir Putin.
In short, it's quite the volatile situation. As offshoots butt heads against the public support for Russia coming from the Conti gang, the ransomware organisation is increasingly becoming the digital public enemy number one in Costa Rica.
Going toe to toe with Conti
Conti ransomware has been causing major problems in Costa Rica since at least April, with several important agencies impacted by outbreaks, which according to Bleeping Computerincludes:
- Costa Rican Social Security Fund
- Administrative Board of the Electrical Service of the province of Cartago
- Radiographic Costarricense
- The Ministry of Science, Innovation, Technology, and Telecommunications
- National Meteorological Institute
On top of this, there also exists a 672GB dump of data which may include data from multiple compromised Government agencies. The message accompanying the leak reads as follows:
It is impossible to look at the decisions of the administration of the President of Costa Rica without irony, all this could have been avoided by paying you would have made your country really safe, but you will turn to Biden and his henchmen...no government of other countries has finalised this attack, everything was carried out by me with a successful affiliate. The purpose of this attack was to earn money, in the future I will definitely carry out attacks of a more serious format with a larger team.
Little wonder, with all of this happening, that Costa Rica is on high alert.
Embattled services struggle with outbreaks
As this articlepoints out, the Treasury alone has been without any form of digital service for three weeks. It's also unclear at this time if tax payer information has been stolen. This has meant a return to physical procedures as opposed digital. As we've seen previously where Conti is concerned, any move away from digital to physical can result in all manner of problems.
Counting the cost
Make no mistake, the attacks have been varied and relentless. Last month, the administrative systems of a government agency managing electricity in Cartago were encrypted and rendered useless. That's roughly 160,000 people potentially impacted in one go. A cool $10m was demanded as a ransom during the attack on the finance ministry. This attack is claimed to have caused losses of $200m.
Little wonder, then, that the US State Department has offered up to $10m for information on the Conti group. If you're able to identify key individuals in the group, you may well be in for a significant payday. On top of that, there's an additional $5m in relation to arrests/convictions for affiliates.
As the release notes:
The FBI estimates that as of January 2022, there had been over 1,000 victims of attacks associated with Conti ransomware with victim payouts exceeding $150,000,000, making the Conti Ransomware variant the costliest strain of ransomware ever documented. In April 2022, the group perpetrated a ransomware incident against the Government of Costa Rica that severely impacted the country’s foreign trade by disrupting its customs and taxes platforms. In offering this reward, the United States demonstrates its commitment to protecting potential ransomware victims around the world from exploitation by cyber criminals.
It appears the game is most definitely afoot. Will anyone actually be able to bring the group and affiliates to justice before another major attack? Based on what we've seen so far, the answer for the time being is almost certainly not.