In the aftermath of a massive ransomware attack on the Costa Rican government in April, the US government published a notice last week declaring a reward possibly worth millions of dollars to people involved with the Conti ransomware used in the hack. Rodrigo Chaves Robles, recently appointed President of Costa Rica, declared a national crisis because of the attack according to CyberScoop.
According to BleepingComputer, the ransomware attack affected Costa Rica’s ministries of finance and Labor and Social Security, as well as the country’s Social Development and Family Allowance Fund, among other units. The report also says the attack has affected several services of the country’s treasury since April 18. Hackers have not only removed some of the government’s systems, but they are also filtering data, according to CyberScoopwhich notes that almost 700GB of data has entered Conti’s website.
The U.S. State Department says the attack “severely affected the country’s foreign trade by disrupting its customs and tax platforms” and offers “up to $ 10 million for information leading to the identification and / or location” of the organizers behind Conti. The U.S. government is also offering $ 5 million for information “leading to the arrest and / or conviction of any individual in any country conspiring to engage in or attempting to participate” in a Conti-based ransomware attack.
Last year, the United States offered similar awards on REvil and DarkSide (the group behind the Colonial Pipeline attack). REvil is largely suspected of failure after the United States reportedly hacked the group’s servers and the Russian government claimed to have arrested several members.
The Costa Rican government is not the only entity that is a victim of Conti’s ransomware. How Krebs About Security notesthe group is particularly notorious for targeting health facilities such as hospitals and research centers.
The gang is also known for having its chat protocols leaked after it stated that it fully supported the Russian government shortly after the invasion of Ukraine began. According to CNBC, these protocols showed that the group behind the ransomware itself had organizational problems – people were not paid, and there were arrests taking place. However, like many ransomware operators, the actual software was also used by “affiliates,” or other creatures that used it to make their own attacks.
In the case of Costa Rica, the attacker claims to be one of these affiliates and says they are not part of a larger team or government, according to a message. posted by CyberScoop. However, they threatened to make “more serious” attacks, calling Costa Rica a “demo version”.