View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

“We will overthrow the government” – Does Conti have help inside Costa Rica?

As cyber attacks on the Central American country move into a fourth week, the gang behind the incident says it has insider help.

By Claudia Glover

Ransomware gang Conti has upped the ante as its attack on Costa Rica continues, threatening to overthrow the country’s government if its demands are not met. Conti has also doubled the ransom required to release Costa Rican data to $20m. Rodrigo Chaves, President of Costa Rica, announced overnight that the attacks have ramped up and that he is forming a ‘SWAT’ team to try and bring an end to the problems.

President of Costa Rica, Rodrigo Chaves. (Photo: LUIS ACOSTA/AFP via Getty Images)

Chaves told a press conference that Costa Rica is “at war, and that is not an exaggeration“, as Conti’s attacks enter a fourth week. He explained that there are currently 27 affected government institutions, nine of which have been significantly infected. These include the Ministerio de Hacienda (Ministry of Finance), which is thought to have been the initial point of attack.

The president laid bare the extent of the attacks and the impact they have had on Costa Rica’s public sector. “We have not been able to collect taxes for the traditional tax system,” he said, while international trade is still being badly affected as the nation’s customs system remains compromised. Payment of salaries to public sector staff is also being affected.

Calling Conti an “international terrorist group,” Chaves also stated that “there are very clear indications that people within the country are collaborating with Conti”. His administration is forming a “SWAT team”, bringing together technical experts from Costa Rica’s Ministry of Innovation, Science, Technology and Telecommunications, the Treasury, the National Emergency Commission and the Costa Rican Institute of Electricity to try and bring the attack under control.

Does Conti have help from inside Costa Rica?

Conti released several messages to its dark web blog over the weekend, announcing that it has doubled the ransom to $20m, that it is “determined to overthrow the government by means of a cyberattack”. It says it will delete the decryption keys for data it has stolen if Chaves continues to work with data recovery specialists.

One of the message from RaaS gang Conti’s dark web blog. (Picture: Searchlight Security)

One of the messages also states that the gang has “insiders in [the Costa Rican] government”, specifically a threat actor named UNC1756. The UNC numbers refer to a categorisation system for cyber criminals used by leading cybersecurity firm Manidant. However, it is doubtful that this claim is true, says Louise Ferrett, threat intelligence analyst at Searchlight Security. “I would be sceptical of this claim,” she says. “Despite their name imitating a classification by Mandiant, there are no records of previous threat activity being identified under the title UNC1756.”

The actor named in the message has only been active for one month, she explains, and it is therefore unlikely that they would have been able to amass so much influence so quickly. Ransomware gangs often make grandiose claims to pressure their victims into paying and ought not to be taken too seriously, she continues. “Costa Rica’s government should continue with its recovery plan as laid out by experts, while remaining vigilant for any signs of truth in the threat actor’s statement regarding malicious insiders,” Ferrett adds.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Read more: Ransomware is making cyber insurance harder to buy

Topics in this article : ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.