Already suffering from significant damage caused by a recent Conti ransomware attack that spread through multiple government agencies, Costa Rica has taken another blow as Hive ransomware has infected a portion of its public health system and compromised the Covid-19 testing process.
Some security researchers believe that former Conti members may be involved with Hive, and are picking up where they left off after the ransomware syndicate retreated and split into smaller “cells” to better evade law enforcement.
Hive ransomware hits 30 public health system servers, Covid-19 reporting taken offline
The Costa Rican Social Security Fund (CCSS) was taken offline temporarily as officials reported that at least 30 of the organization’s 1,500 servers had been infected with Hive ransomware. Hive ransomware attacks were first observed in June 2021, and the group has mirrored Conti to a great degree in ruthlessly targeting health care organizations (and being active enough to merit an FBI alert).
The ransomware attack comes on the heels of the Conti group causing a national state of emergency to be declared with its rampage through Costa Rican government agencies, a campaign that caused issues with foreign trade and temporarily shut down some payment and accounting services. Some security researchers now believe that the attack was orchestrated by Conti as a means of publicly disbanding the group in an attempt to cool down increasing law enforcement attention, with some of its members migrating to smaller groups like Hive.
The attack on the public health system appears to have hit the servers that process Covid-19 testing results, with those results not available to the public as the issue is remediated. The government said that the CCSS’s payroll processing systems, the Unified Digital Health system and the Centralized Tax-Collection System, were not impacted by the ransomware attack.
The connection between Conti and Hive remains a theory (as does the idea that the Costa Rica ransomware attack was an excuse for Conti to break up, though that is supported by leaked messages discussing the possibility), but a plausible one given the sudden and seemingly voluntary shutdown of Conti servers and online infrastructure. Hive also operates on a “ransomware-as-a-service” model, and it is possible a Conti affiliate involved in the attack moved to Hive. Life has become tougher for ransomware groups based in Russia if they are at all associated with the sanctions levied due to the country’s invasion of Ukraine, and Conti essentially put their foot in their mouths by declaring support for the Russian government’s actions at the beginning of the war, making it tougher to collect payments as banking services are cut off and victims hesitate to pay a potentially sanctioned entity.
Pattern of Costa Rica ransomware attacks continues as country struggles to recover
President of the CCSS Álvaro Ramos told the media that no payment had been demanded in the ransomware attack, but the Hive negotiation portal features a public message that says it has asked for $5 million USD in Bitcoin to restore Costa Rica’s public health system servers.
Some residents of San José, the country’s capital city, contradicted reports that the ransomware attack had only impacted limited aspects of the public health system. One told the Washington Post that a health center he visited for an appointment was doing everything on paper out of fear of turning on computers, and that prescriptions could not be filled and certain appointments would have to be delayed for at least several days. Some employees of the CCSS confirmed on Twitter that they were ordered to shut down computers until further notice. The country remains in a state of national emergency over the damage done by the prior Conti ransomware attack, which began in April.
The theory that Conti used the Costa Rica ransomware attacks as a ruse to disband and shake off law enforcement attention included leaked messages indicating that the group would be willing to settle for a ransom payment of less than $1 million (after demanding $20 million just prior to disbanding). But at the moment, the country appears to still be undergoing remediation and suffering from periodic outage of services. The US State Department offered some indirect help with $15 million in total bounties to anyone identifying core members of the Conti group or providing information leading to an arrest; the group remains a focus of international law enforcement hunts in spite of its apparent retreat into the shadows. If Conti members are working with Hive, it would appear the group still has an interest in milking money from the beleaguered Central American country.
If a national government’s public health system can be compromised to this degree, what chance do smaller organizations stand? Keith Neilson, Technical Evangelist at CloudSphere, advises: “This attack on Costa Rica’s public health agency serves as a reminder that a comprehensive cybersecurity strategy begins with cyber asset management. To properly secure sensitive data, organizations must take the first step of cyber asset management by discovering all cyber assets hosted within the IT environment. Without a comprehensive inventory of these cyber assets, organizations have no way of detecting potential risk points for a ransomware attack (let alone remediating them) until it is too late. Once all cyber assets are accounted for, IT leaders can establish clear, real-time visibility of the attack surface and effectively implement security guardrails across the entire IT landscape.”