The Conti ransomware that plagues Windows systems around the world has torn the Costa Rican government since April and has become such a persistent and damaging problem that the country has declared it a national emergency. This prompted the US State Department to increase pressure on the group by offering a total of $15 million in rewards for information that leads to the identification or arrest of the group’s organizers.
Leaked inside information from 2021 shows that Conti operates as a legitimate technology company that employs remote working contractors, some of whom are apparently unaware that they are working for a ransomware gang. Despite its billions of dollars in business and hundreds of lower-level employees, Conti’s key members have yet to be identified or brought to justice.
Conti ransomware group in US sights after ransacking Costa Rican systems
Costa Rica’s newly sworn in president, Rodrigo Chaves Robles, began his administration by declaring a national emergency due to extensive damage caused by a series of Conti ransomware attacks that began on April 17.
A threat actor calling himself ‘unc1756’ stole at least 672GB of data from the national government and posted almost all of it on the Conti ransomware dark web portal after former President Carlos Alvarado refused to pay a ransom demand of $10 million just before the end of his term. The same actor may have been responsible for a recent breach of Peru’s national intelligence agency, which released 9.5 GB of data on the Conti ransomware portal shortly after the attacks in Costa Rica.
There is fierce debate over whether or not ransom demands should be paid, but as Roger Grimes (Data-Driven Defense Evangelist for KnowBe4) notes, victims often don’t really have a choice: ” This is what is happening in today’s ubiquitous world. Ransomware. If you become a victim and do not pay, your data will be leaked. This is one of the main reasons why most victims pay today. In addition to the data leak, the attackers likely have the personal login credentials of every employee on any site they visited during the time the ransomware existed before it was unleashed. If Costa Rica hosted customer-facing websites in the compromised domains, as they likely were, their customer credentials (which are often reused on other sites and services customers visit) are also probably compromised. Failure to pay the ransom not only endangers Costa Rica’s own services, but also those of its employees and customers. It’s a huge mess! … The only way to combat this is to drastically improve the security of the Internet as a whole and to teach people how to avoid the social engineering scams that most often lead to ransomware exploitation. No one-off solution (e.g. firewall, VPN, antivirus, etc.) will work… Unfortunately, Costa Rica’s new law, and really no law does anything to address the overall problem (ie- i.e. cybercriminals are very, very unlikely to be caught and punished). So what we are left with are reactive recoveries, ineffective defenses, and rewards for identification and arrests that will probably never happen.
The Conti ransomware attack campaign has impacted a number of different government agencies in Costa Rica. These include the Ministries of Finance and Labour, the Costa Rican Social Security Fund and the Social Development and Family Allowances Fund. Some services run by the Treasury, such as customs and tax payment interfaces, have been disrupted since April 18. The US State Department said the country’s foreign trade had been “severely impacted” by the incident.
It’s still unclear exactly what was leaked via the dark web portal, but independent security researchers have analyzed a small sample of the data and found it contains SQL databases and source code that appears to be from government websites.
Costa Rican Government Decree No. 42542 establishes a national state of emergency, primarily granting the power to treat the Conti ransomware campaign as an enhanced form of criminal attack. But as Silas Cutler, principal reverse engineer for Stairwell, points out: “While government entities such as the Costa Rican Social Security Fund (CCSS) can take proactive measures (such as conducting a perimeter review as a way to (mitigating some of the Conti-affiliate methods that access brokers use) to better secure their perimeter and respond to problems more quickly, this will not completely prevent these types of attacks. to quickly exploit newly discovered vulnerabilities, to access networks at speeds faster than patches can be deployed… If a group like Conti or any other group of sophisticated players is going to invest dedicated time in breaking into your network, it There are a limited number of things you can do to fully protect yourself. Best practices, user training, and testing Regular security checks are still the best measures organizations can use to defend themselves. »
National emergency deserves US State Department bounty
The US government is trying to help Costa Rica deal with the national emergency by tricking insiders into spilling the beans on top members of the Conti ransomware group, offering a total of $15 million in bounties. Up to $10 million is offered for information leading to the identification or location of the group’s organizers, and an additional $5 million can be obtained for information that leads to the arrest or conviction of “any individual in any country” conspiring to participate in a Conti ransomware attack.
The US government is increasingly turning to multi-million dollar bounties as for-profit cybercriminals show an increased willingness to create national emergencies by targeting critical infrastructure. The government responded to major attacks of this nature in 2021 by issuing similar bounties to members of the REvil and DarkSide gangs. It’s unclear if bounties played a role, but both of these gangs were busted and servers seized after they became targets of major international law enforcement efforts.
As John Bambenek, Principal Threat Hunter at Netenrich, notes, “The US government making these rewards a bigger part of its cybercrime and ransomware enforcement strategy is a natural evolution of the amount of destruction these groups are causing. . In 2013, ransomware was largely an individual consumer problem. Today, these groups hijack entire organizations and/or release large caches of stolen information. They have entered the big leagues of organized crime, so now there are big league style responses. These types of rewards help people like me who like to seek out and identify these people. College is expensive and I have six children. That being said, nothing is really going to help until we start making significant arrests. The first piece is who to arrest, of course, but the bigger problem is that they often operate in jurisdictions where extradition is not an option. Evgeniy Bogachev (the operator of the first modern ransomware family, Cryptolocker) has been indicted since 2012.”
The Conti ransomware group has become one of the biggest operators in the world by showing a willingness to cross these kinds of lines, without fear of causing a national emergency in the process. The group has repeatedly targeted healthcare organizations and facilities (after saying it would not at the height of the Covid-19 pandemic), believing these entities will be insured and pay out quickly because they cannot afford to have life-saving care systems be offline indefinitely. Krebs on Security notes around 200 Conti ransomware attacks on healthcare targets in recent years, the largest of which was a breach of Ireland’s public healthcare system.
Although the core members of the group remain unidentified at this time, a leak from a dissatisfied Conti ransomware affiliate last August revealed quite a bit about the group’s internal structure and operations. It has a quasi-corporate structure that includes a hiring department (which sometimes recruits from legitimate job boards), conducts performance reviews and awards “employee of the month” awards, and has a variety of online entrepreneurs working on small modular parts of the business so some are unaware that they are involved in ransomware.