Costa Rica chaos a warning that the ransomware threat remains
WASHINGTON (AP) — Teachers unable to get paychecks. Tax and customs systems paralyzed. Health officials cannot access medical records or track the spread of COVID-19. The president of a country declares war on foreign hackers saying they want to overthrow the government.
For two months now, Costa Rica has been reeling from unprecedented ransomware attacks that are disrupting the daily life of this Central American country. It’s a situation that raises questions about the role of the United States in protecting friendly nations from cyberattacks when Russia-based criminal gangs target less-developed countries in ways that could have major global repercussions.
“Today it’s Costa Rica. Tomorrow it could be the Panama Canal,” said Belisario Contreras, a former cybersecurity program manager at the Organization of American States, referring to a major sea lane in Central America which carries a large amount of US imports and exports. Traffic.
Last year, cybercriminals launched ransomware attacks in the United States that forced the closure of an oil pipeline that supplies the East Coast, halted production at the world’s largest meat processing company and compromised a major software company with thousands of customers worldwide.
The Biden administration responded with comprehensive government action including diplomatic, law enforcement, and intelligence efforts aimed at pressuring ransomware operators.
Since then, ransomware gangs have moved away from “big game” targets in the United States in pursuit of victims unlikely to elicit a strong US response.
“They’re still prolific, they make huge amounts of money, but they just don’t make the headlines every day,” said Eleanor Fairford, deputy director of the UK’s National Cyber Security Centre, at a recent US ransomware conference. .
It’s hard to keep up with trends in ransomware attacks, in which criminals encrypt victims’ data and demand payment to bring it back to normal. NCC Group, a British cybersecurity company that tracks ransomware attacks, said the number of ransomware incidents per month so far this year was higher than it was in 2021. The company noted that the CL0P ransomware group, which has aggressively targeted schools and healthcare organizations, have resumed work after effectively shutting down for several months.
But Rob Joyce, the director of cybersecurity at the National Security Agency, has said publicly that there has been a decrease in the number of ransomware attacks since Russia invaded Ukraine thanks to concerns cyberattacks and new sanctions that make it more difficult for the Russians. criminals based to move money.
The ransomware gang known as Conti launched the first attack on the Costa Rican government in April and demanded a payment of $20 million, prompting newly installed President Chaves Robles to declare a state of emergency as the tax and customs offices, utilities and other services were taken offline.
“We are at war and that is no exaggeration,” he said.
Later, a second attack, attributed to a group known as Hive, knocked out the public health department and other systems. Individual prescription information is offline and some workers have gone weeks without their paycheque. This has caused significant difficulties for people like Alvaro Fallas, a 33-year-old teacher.
“I live with my parents and my brother and they depend on me,” he said.
In Peru, Conti also attacked the country’s intelligence agency. The gang’s darkweb extortion site publishes allegedly stolen documents along with the agency’s information, such as a “secret” market document that details coca eradication efforts.
Experts believe that developing countries like Costa Rica and Peru will remain particularly ripe targets. These countries have invested in digitizing their economies and systems, but do not have defenses as sophisticated as wealthier nations.
Costa Rica has long been a stable force in a region often known for upheaval. It has a long democratic tradition and well-run government services.
Paul Rosenzweig, a former senior DHS official and cyber consultant who is now a legal resident of Costa Rica, said the country presents a test case for exactly what the US government owes to friendly and allied governments that fall victim to attacks. ransomware disruptors. While an attack on a foreign country may not directly impact U.S. interests, the federal government still has a strong interest in limiting how ransomware criminals can disrupt the global digital economy, he said. he declares.
“Costa Rica is a perfect example because it’s the first,” Rosenzweig said. “No one has ever seen a government attacked before.”
So far, the Biden administration has said little publicly about the situation in Costa Rica. The United States provided technical assistance through its Cyber and Infrastructure Security Agency, through an information-sharing program with countries around the world. And the State Department offered a reward for the arrest of the Conti members.
Eric Goldstein, executive assistant director of cybersecurity at CISA, said Costa Rica had a computer emergency response team that had an established relationship with counterparts in the United States before the incidents. But his agency is expanding its international presence by creating its first overseas attaché post in the UK. It is planning others in places that have not yet been specified.
“If we think about our role, CISA and the US government, it is inherently of course to protect US organizations. But we intuitively know that the same threat actors are using the same vulnerabilities to target victims around the world,” did he declare.
Conti is one of the most prolific ransomware gangs currently in operation and has hit over 1,000 targets and received over $150 million in payouts in the past two years, according to FBI estimates.
Early in the invasion of Ukraine, some Conti members pledged on the group’s dark website to “use all our resources possible to retaliate against an enemy’s critical infrastructure” if Russia were attacked. Shortly after, sensitive chat logs that appear to belong to the gang were leaked online, some of which appeared to show links between the gang and the Russian government.
Some cyber threat researchers say Conti may be rebranding and his attack on Costa Rica may be a publicity stunt to provide a plausible story for the group’s demise. Ransomware groups that receive a lot of media attention often disappear, only to have their members reappear later under a new name.
On his darkweb site, Conti has denied this is the case and continues to publish the victim files. The gang’s most recent targets include a municipal parks department in Illinois, a manufacturing company in Oklahoma, and a food distributor in Chile.