On Sunday, May 8th, newly-elected Costa Rican President Rodrigo Chaves declared a national emergency following cyber-attacks from the Conti Ransomware group on multiple government bodies.
"The attack that Costa Rica is suffering from cybercriminals, cyberterrorists is declared a national emergency and we are signing this decree, precisely, to declare a state of national emergency in the entire public sector of the Costa Rican State and allow our society to respond to these attacks as criminal acts," said the President, accompanied by Minister of the Presidency, Natalia Díaz, and the Minister of Science, Innovation, Technology and Telecommunications (Micitt), Carlos Alvarado.
"We signed the decree so that the country can defend itself from the criminal attack that cybercriminals are making us. That is an attack on the Homeland and we signed the decree to have a better way of defending ourselves," added President Chaves.
The Conti group had originally claimed the ransomware attack against Costa Rican government entities last month, demanding a $10 million ransom from the Costa Rican Finance Ministry (the first public body to have suffered damage from Conti’s cyber attack). The ministry refused to pay the ransom, though it still has not fully evaluated the scope of the security incident or to what extent taxpayers' information, payments, and customs systems have been impacted.
According to Bleeping Computer, Conti’s data leak site was updated yesterday to state that the group had leaked 97% of the 672 GB data dump allegedly containing information stolen from the government agencies. Based on Bleeping Computer’s preliminary analysis of a small subset of the leaked samples on Conti’s site, the data contains source code and SQL databases that appear to be from government websites. Conti’s leak site currently includes a list of the following government bodies affected by the attack:
- The Costa Rican Finance Minsitry, Ministerio de Hacienda
- The Ministry of Labor and Social Security, MTSS
- The Social Development and Family Allowances Fund, FODESAF
- The Interuniversity Headquarters of Alajuela, SIUA
Although Conti’s source code and internal conversations were leaked by an insider back in March, the gang is still active and continues to target victims in double extortion attacks.
“According to analysts from multiple cybersecurity firms, Conti is now managing various side businesses meant to sustain its ransomware operations or pay for initial network access when needed” (Bleeping Computer, 2022)
For mitigation purposes, you should backup your data, system images, and configurations. Don't forget to regularly test them, and keep the backups offline. Training employees is another vital mitigation technique because email remains the most vulnerable attack vector for organizations. You should train users how to spot phishing attempts.