But the attack on the Treasury was only the beginning. A timeline that Mora shares claims that Conti tried to violate various government organizations almost every day between April 18 and May 2. Local authorities, such as the municipality of Buenos Aires, were affected, as well as central government organizations, including Ministry of Occupational and Social Security. In some cases, Conti was successful; in others it failed. Mora says the United States, Spain and private companies helped defend themselves against Conti attacks and provided software and indicators of compromises related to the group. “It blocked Conti a lot,” he says. (In early May, the United States released one $ 10 million reward for information about Conti’s leadership.)
On May 8, Chaves began his four-year term as president and immediately declared a “national emergency” due to the ransomware attacks, calling the attackers “cyber-terrorists.” Nine of the 27 targeted bodies were “very affected,” Chaves said on May 16. MICIT, which monitors the response to the attacks, did not respond to questions about progress in the recovery, despite initially offering to arrange an interview.
“All the national institutions, they do not have enough resources,” Robles says. During the recovery, he says, he has seen organizations run on older software, making it much harder to activate the services they provide. Some bodies, Robles says, “do not even have a person who works in cybersecurity.” Mora adds that the attacks show that Latin American countries need to improve their resilience to cyber security, introduce laws to make reporting cyber attacks mandatory and devote more resources to protecting public institutions.
But just as Costa Rica began to grab the Conti attacks, another hammer blow struck. On May 31, the second attack started. The systems of the Costa Rica Social Security Fund (CCSS), which organizes health care, were taken offline, throwing the country into a new kind of disorder. This time HIVE ransomware, which has some links to Conti, got the blame.
The attack had an immediate effect on people’s lives. Health systems went offline, and printers spewed out waste, as first reported by security journalist Brian Krebs. Since then, patients have complained about delays in receiving treatment, and CCSS has warned parents whose children were undergoing surgery that they may have trouble finding their children. So does the health care system started printing expired paper forms.
By June 3, CCSS had declared an “institutional emergency,” with local reports claiming it 759 of the 1,500 servers and 10,400 computers have been affected. A spokesman for CCSS says hospitals and emergency services are now operating normally and that the efforts of its staff have maintained care. But those seeking medical attention have been subjected to significant disruption: 34,677 appointments have been rescheduled for 6 June. (The figure is 7 percent of total appointments; CCSS says 484,215 appointments have progressed.) Medical imaging, pharmacies, test labs, and operating rooms all face some disruption.
There are questions about whether the two separate ransomware attacks against Costa Rica are connected. But they come as the face of ransomware may change. In recent weeks, Russian-affiliated ransomware gangs changed their tactics to avoid US sanctions and is fighting over their territory more than usual.
Conti first announced its attack on the Treasury Department on its blog, where it publishes the names of its victims and, if they fail to pay its ransom, the files it has stolen from them. A person or group baptizing themselves unc1756 – The “UNC” abbreviation is used by some security companies to identify “uncategorized” attackers-used the blog to take responsibility for the attack. The attacker demanded $ 10 million in ransom and later raised the figure to $ 20 million. When no payment was made, they started uploading 672 GB files to Conti’s website.