Ransomware gang Conti has upped the ante as its attack on Costa Rica continues, threatening to overthrow the country’s government if its demands are not met. Conti has also doubled the ransom required to release Costa Rican data to $20m. Rodrigo Chaves, President of Costa Rica, announced overnight that the attacks have ramped up and that he is forming a ‘SWAT’ team to try and bring an end to the problems.
Chaves told a press conference that Costa Rica is “at war, and that is not an exaggeration“, as Conti’s attacks enter a fourth week. He explained that there are currently 27 affected government institutions, nine of which have been significantly infected. These include the Ministerio de Hacienda (Ministry of Finance), which is thought to have been the initial point of attack.
The president laid bare the extent of the attacks and the impact they have had on Costa Rica’s public sector. “We have not been able to collect taxes for the traditional tax system,” he said, while international trade is still being badly affected as the nation’s customs system remains compromised. Payment of salaries to public sector staff is also being affected.
Calling Conti an “international terrorist group,” Chaves also stated that “there are very clear indications that people within the country are collaborating with Conti”. His administration is forming a “SWAT team”, bringing together technical experts from Costa Rica’s Ministry of Innovation, Science, Technology and Telecommunications, the Treasury, the National Emergency Commission and the Costa Rican Institute of Electricity to try and bring the attack under control.
Does Conti have help from inside Costa Rica?
Conti released several messages to its dark web blog over the weekend, announcing that it has doubled the ransom to $20m, that it is “determined to overthrow the government by means of a cyberattack”. It says it will delete the decryption keys for data it has stolen if Chaves continues to work with data recovery specialists.
One of the messages also states that the gang has “insiders in [the Costa Rican] government”, specifically a threat actor named UNC1756. The UNC numbers refer to a categorisation system for cyber criminals used by leading cybersecurity firm Manidant. However, it is doubtful that this claim is true, says Louise Ferrett, threat intelligence analyst at Searchlight Security. “I would be sceptical of this claim,” she says. “Despite their name imitating a classification by Mandiant, there are no records of previous threat activity being identified under the title UNC1756.”
The actor named in the message has only been active for one month, she explains, and it is therefore unlikely that they would have been able to amass so much influence so quickly. Ransomware gangs often make grandiose claims to pressure their victims into paying and ought not to be taken too seriously, she continues. “Costa Rica’s government should continue with its recovery plan as laid out by experts, while remaining vigilant for any signs of truth in the threat actor’s statement regarding malicious insiders,” Ferrett adds.