The Conti ransomware that has been plaguing Windows systems around the world has ripped through the Costa Rican government since April, and has become such a persistent and damaging issue that the country has declared it a national emergency. This has prompted the US State Department to turn up the pressure on the group by offering a total of $15 million in reward money for information that leads to identification or arrest of the group’s organizers.
Leaked internal information from 2021 shows that Conti operates like a legitimate tech company that employs remote working contractors, some of whom apparently are not aware that they are working for a ransomware gang. In spite of its billions of dollars in activity and churning through hundreds of these lower-level employees, core members of Conti have yet to be identified or brought to justice.
Conti ransomware group in US crosshairs after rampage through Costa Rican systems
The newly sworn-in President of Costa Rica, Rodrigo Chaves Robles, began his administration by declaring a national emergency due to the extensive damage done by a spate of Conti ransomware attacks that began on April 17.
A threat actor referring to themselves as “unc1756” has stolen at least 672 GB of data from the national government, and posted nearly all of it to the Conti ransomware dark web portal after former president Carlos Alvarado refused to pay a $10 million ransom demand just prior to the end of his term. The same actor may have been responsible for a recent breach of Peru’s national intelligence agency, which had 9.5 GB of data posted to the Conti ransomware portal shortly after the Costa Rica attacks.
There is a fierce debate over whether or not ransom demands should be paid, but as Roger Grimes (Data-Driven Defense Evangelist for KnowBe4) notes, victims are often not given much of a choice: “This is what happens in today’s ubiquitous world of ransomware. If you become a victim and do not pay, they will leak your data. It is a large reason why most victims are paying today. On top of the data leak, the attackers likely have every employee’s personal login credentials to any site they visited during the time the ransomware was dwelling before it went off. If Costa Rica was hosting customer-facing websites in the compromised domains, like they likely were, their customer’s credentials (which are often reused on other sites and services the customers visit) are likely compromised, too. Not paying the ransom puts not only Costa Rica’s own services at risk, but those of their employees and customers. It is a huge mess! … The only way to fight this is by vastly improving the security of the internet overall and educating people how to avoid the social engineering scams that most often lead to ransomware exploitation. No single point solution (e.g., firewalls, VPNs, antivirus, etc.) is going to work … Unfortunately, Costa Rica’s new law, and really no one’s law is doing anything to fix the overall problem (i.e., that it is very, very unlikely for cybercriminals to be caught and punished). So, what we are left with is reactive recoveries, ineffectual defenses and rewards for identification and arrests that will likely never happen.”
The Conti ransomware attack campaign has impacted a number of different government agencies in Costa Rica. These include the ministries of Finance and Labor, the Costa Rican Social Security Fund and the Social Development and Family Allowances Fund. Some services run by the government treasury, such as customs and tax payment interfaces, have been disrupted since April 18. The US State Department said that the country’s foreign trade has been “severely impacted” by the incident.
It is still not entirely clear exactly what was leaked through the dark web portal, but independent security researchers have analyzed a small sample of the data and found that it contains SQL databases and source code that appears to be from government websites.
The Costa Rican government’s Decree No. 42542 establishes the state of national emergency, primarily granting the power to treat the Conti ransomware campaign as an enhanced form of criminal attack. But as Silas Cutler, Principal Reverse Engineer for Stairwell, points out: “While government entities like the Costa Rican Social Security Fund (CCSS) can take proactive steps (like conducting a perimeter review as a means of mitigating some of the methods Conti-affiliated access brokers use) to better secure their perimeter and react faster to issues, it will not fully prevent these types of attacks. Conti-affiliated access brokers are adept at rapidly exploiting newly-discovered vulnerabilities, gaining access to networks at speeds faster than patches can be deployed … If a group like Conti or any other sophisticated actor group is going to invest dedicated time in breaking into your network, there are a limited number of things you can do to thoroughly protect yourself. Best practices, user training and regular security testing always remain the best steps organizations can employ to defend themselves.”
National emergency merits bounty from US state department
The US government is attempting to assist Costa Rica with the national emergency by incentivizing insiders to spill the beans on the core members of the Conti ransomware group, offering a total of $15 million in bounties. Up to $10 million is offered for information leading to the identification or location of the group’s organizers, and an additional $5 million can be had for information that leads to the arrest or conviction of “any individual in any country” conspiring to participate in a Conti ransomware attack.
Multimillion-dollar bounties are something that the US government has increasingly turned to as for-profit cyber criminals show an increased willingness to create national emergency situations by targeting critical infrastructure. The government responded to major attacks of this nature in 2021 by issuing similar bounties on members of the REvil and DarkSide gangs. It is unclear if the bounties played any role, but both of those gangs were broken up and had servers seized after becoming the target of major international law enforcement efforts.
As John Bambenek, Principal Threat Hunter at Netenrich, notes: “The U.S. government making these rewards a bigger part of its strategy in cracking down on cybercrime and ransomware is a natural evolution of the amount of destruction these groups are causing. Ransomware in 2013 was largely an individual consumer problem. Now, these groups are hijacking entire organizations and/or leaking large caches of stolen information. They’ve entered the big leagues of organized crimes so now there are big league style responses. These kinds of rewards help people like me who love to research and identify these individuals. College is expensive and I have six kids. That being said, nothing is going to really help until we start making significant arrests. The initial piece of that is who to arrest, of course, however the bigger problem is that they often operate in jurisdictions where extradition isn’t an option. Evgeniy Bogachev (the operator of the first modern ransomware family, Cryptolocker) has been under indictment since 2012.”
The Conti ransomware group has grown to be one of the largest operators in the world by showing a willingness to cross those sorts of lines, unafraid of causing a national emergency in the process. The group has repeatedly targeted health care organizations and facilities (after declaring that it would not do so during the height of the Covid-19 pandemic), in the belief that these entities will be insured and quick to pay as they cannot afford to have life-saving systems of care be offline for any amount of time. Krebs on Security notes about 200 Conti ransomware attacks on healthcare targets in recent years, the largest of these being a breach of Ireland’s national Health Service Executive public health system.
Though the key members of the group remain unidentified at this time, a leak from a dissatisfied Conti ransomware affiliate last August revealed quite a bit about the group’s structure and internal operations. It has a quasi-corporate structure that includes a hiring department (that sometimes recruits on legitimate job sites), conducts performance reviews and issues “employee of the month” awards, and has a variety of online contractors working on small modular pieces of the business such that some are not aware they are involved with ransomware.