A ransomware attack that has crippled Costa Rica’s government IT systems is entering its second week with no resolution in sight. Ransomware group Conti has stolen at least a terabyte of data, and having seen its demands for $10m ransom rebuffed, today stated it has released 80% of the information onto the dark web. The Costa Rican government has so far stood firm in the face of the ransom demand, despite damages from the incident now reportedly running into the hundreds of millions of dollars. The incident could be the first indicator that Russian-backed gangs like Conti are embarking on a new wave of attacks.

Costa Rica cyberattack
Outgoing Costa Rica president Carlos Alvarado says a recent cyberattack is aimed at destabilising the country. (Photo by HANNAH MCKAY/POOL/AFP via Getty Images)

Costa Rica cyberattack hits multiple government departments

A breach of Costa Rica’s tax and customs administration systems took place last weekend. The country’s finance ministry was the first department hit by hackers, who have subsequently attacked its social security agency’s human resources system and the Ministry of Labor. So far a total of six public institutions have been hit.

Finance minister Elian Villegas said one terabyte of information from the Central American nation’s customs directorate, which handles checks on imports and exports, had been stolen, including information on taxpayers. “Apart from that I am not aware of any other information that may have been extracted,” Villegas told Reuters.

The Costa Rican government has not yet confirmed the attack’s origin, but Conti has taken credit. A blog post from the group reads: “We will continue to attack the ministries of Costa Rica until its government pays us. Attacks continue today. We downloaded one [terabyte] of your portal databases as well as internal documents, we will start publishing this data on April 23.”

Costa Rica’s government is adamant that it will not pay the ransom. “We are not in a position to pay,” Villegas said. “We are a public entity, we cannot access this type of request, from the principle of legality I am not authorised for any payment of this type.”

The incident has already caused serious damage due to disruption of the country’s tax and customs platforms. The country’s exporters union said there had been losses of $200m last Wednesday alone, Reuters reports. The government website and other internal systems remain offline at the time of writing.

Should Costa Rica pay the Conti ransom?

Costa Rica is in the process of changing president, with outgoing Premier Carlos Alvarado saying the attacks are aimed at destabilising the Central American country as it transitions to the new government of president-elect, Rodrigo Chaves.

“This attack is not an issue of money, but seeks to threaten the stability of the country in a situation of transition. They will not achieve this,” Alvarado says. Chaves assumes power on May 8.

Regardless of mounting costs, Costa Rica should still resist caving in and paying the ransom, says Max Heinemeyer, VP of cyber innovation at security company Darktrace. “Once the damage is done, paying will not guarantee that the problem goes away – for example, the decryption key might not work and a lot of systems might still have to be rebuilt from scratch,” he says.

Heinemeyer continues: “The recovery work itself, regardless of decryption keys being delivered, can take weeks or months and can be a very costly process. Even if the ransom is paid, there is no guarantee that the stolen data will actually be erased – you’d have to trust the word of the criminals who just breached you.”

Is a new Russia-backed wave of cyberattacks imminent?

The attack coincided with a warning from the Five Eyes security alliance, which includes the UK and US, about the potential for escalating Russian cybercrime activity. Jason Steer, CISO at security company Recorded Future, says the two could be linked. “The timing of that release last week is very interesting,” Steer says. “There’s no compelling reason for it to happen, last week there wasn’t a big vulnerability or anything else. To me that timing stands out.”

He adds: “We could be turning a corner where we’ve got Russian ransomware groups potentially in a new wave of targeting Western countries and organisations. It could get really bad.”

Read more: Vanuatu is showing small nations how to resist big cyberattacks