Costa Rica’s government has declared a state of emergency as ransomware attacks on its public sector enter their third week. Russia-affiliated cybercrime gang Conti has publicly claimed responsibility for the campaign, leading the US State Department to offer up to $15m for information that brings down the group.

The devastation caused in Costa Rica demonstrates the need for a levelling up of cybersecurity capabilities, as the global nature of the economy means these kinds of devastating attacks leave other countries exposed too, experts told Tech Monitor. Analysts also believe Conti may be acting so aggressively in Costa Rica because it is in the process of rebranding under a new name, BlackBasta.

Costa Rica’s government has declared a state of emergency as ransomware attacks on its public sector enter their third week. (Photo by Efenzi at Getty Images)

Costa Rica’s new president, Rodrigo Chavez, signed a declaration formally declaring the state of emergency on Sunday, his first official day in office. It allows additional resources to be directed to the departments under attack.

Chaos has raged through Costa Rica’s public sector during the past three weeks as ransomware attacks have disrupted several departments. The government has so far refused to pay the ransom, leading many of the affected agencies to express their concern over mounting costs. Supplies in and out of Costa Rica are also being hit, with customs officers reportedly having to manually process shipments due to the attacks.

With Costa Rica refusing to pay up, the US government is taking action against Conti, offering $10m for the identification or the location of leaders of the group, and $5m for information that results in the arrest of anyone conspiring with Conti. “I think it’s probably better for Costa Rica to send a message that they are not going to bow to this kind of extortion,” says Louis Ferrett, threat researcher for Searchlight Security. “It makes them appear favourable in the US government’s eyes and will have helped with securing this call for information being put out by the state department.”

Costa ransomware attack: the geopolitical consequences

The Costa Rica ransomware attack demonstrates the need to level up cybersecurity competencies across governments around the world, argues Emily Taylor, CEO of Oxford Information Labs and fellow at the International Security Programme. “These crimes are cross-border in nature, and in global south countries, the issue of cybersecurity capacity is even bigger than everywhere else,” she says. “So this is not just a Costa Rica problem.”

There are multi-lateral initiatives that have been organised to try and build cyber capabilities around the world, such as UN Open Ended Working Group on security. Taylor says this demonstrates an interest from governments in cybersecurity capacity building. She adds: “There’s sometimes scepticism about how effective this is, but there is definitely an appetite for it.”

Countries in Central and South America have become prime targets for hackers in recent years due to low levels of protection. A report from security company AdvIntel says one in every three ransomware attacks worldwide in 2020 targeted a Latin American country. Last month, local authorities in Ecuador were targeted by the BlackCat ransomware gang, while another group, Lapsu$, made its name hacking public sector organisations in Brazil, including its health ministry

“South America has had a pretty terrible time of it in terms of cyberattacks in the past few years,” Ferrett says. “It’s all happening at once, and it does seem like these countries are seen as low hanging fruit, an easier option.”

She adds: “I think internationally there is an urgent need to bring every country up to a similar standard where possible, because so much is interlinked these days with the global economy there is a risk to everyone. If one country gets so severely impacted like this, it can have a wider knock-on effect.”

Is Conti burning its brand as it transitions into another identity?

Conti’s actions in taking on an entire government have attracted a lot of attention for the group, and Ferrett believes it may be happy to take bold action because it is in the process of rebranding under another name, BlackBasta. “Conti is likely to have multiple other ‘side hustles’ in the cybercrime scene, including the Karakurt data extortion group and the new BlackBasta gang,” she says.  “The group may be less concerned about ‘burning’ the Conti identity if they already have these alternative revenue streams lined up.” Obviously the bounty will still be a risk, she adds.

BlackBasta has listed around a dozen victims to its blog in the past few weeks, including German wind turbine giant Deutsche Windtechnik and the American Dental Association. The hackers have since published more than 100Gb of data allegedly stolen from Deutsche Windtechnik.

Read more: Vanuatu is showing small nations how to resist big cyberattacks