But the attack on the finance ministry was just the beginning. A chronology shared by Mora states that Conti attempted to rape various government organizations almost every day between April 18 and May 2. Local authorities, such as the municipality of Buenos Aires, were attacked, as well as central government organizations, including the Ministry of Labor and Social Security. In some cases, Conti was successful; in others, it failed. Mora says the U.S., Spain, and private companies helped defend themselves against Conti’s attacks by providing software and indicators of group-related commitments. “That blocked Conti a lot,” he says. (In early May, the U.S. released a $ 10 million reward for information about Conti’s leadership.)
On May 8, Chaves began his four-year term as president and immediately declared a “national emergency” over ransomware attacks, calling the attackers “cyberterrorists.” Nine of the 27 bodies targeted were “severely affected,” Chaves said on May 16. MICIT, which oversees the response to the attacks, did not answer questions about the evolution of the recovery, although it initially offered to arrange an interview. .
“Not all national institutions have enough resources,” says Robles. During the recovery, he says, he has seen organizations running legacy software, making it much more difficult to enable the services they offer. Some bodies, Robles says, “don’t even have a person working in cybersecurity.” Mora adds that the attacks show that Latin American countries need to improve their resilience in cybersecurity, introduce laws to make reports of cyber attacks mandatory, and allocate more resources to protect public institutions.
But just as Costa Rica began to dominate Conti’s attacks, it struck again. The second attack began on May 31. The systems of the Social Security Fund of Costa Rica (CCSS), which organizes health care, were disconnected, and plunged the country into a new kind of disorder. This time it was blamed on HIVE ransomware, which has some links to Conti.
The attack had an immediate effect on people’s lives. Sanitary systems were shut down and printers dragged garbage, as reported for the first time by security journalist Brian Krebs. Since then, patients have complained of delays in receiving treatment, and the CCSS has warned parents whose children were undergoing surgery that they may have trouble locating their children. The health service has also begun printing out-of-print paper forms.
On June 3, the CCSS had declared an “institutional emergency,” with local reports claiming that 759 of the 1,500 servers and 10,400 computers had been affected. A CCSS spokesman says hospital and emergency services are functioning normally and the efforts of its staff have kept their attention. However, those seeking medical attention have faced major disruptions: 34,677 appointments have been rescheduled as of June 6. (The figure is 7 percent of all appointments; the CCSS says 484,215 appointments have been advanced.) Medical imaging, pharmacies, testing labs, and operating rooms face some disruption.
The death of Conti
There are questions about whether the two separate ransomware attacks against Costa Rica are linked. However, they appear because the face of the ransomware may be changing. In recent weeks, ransomware gangs linked to Russia have changed their tactics to avoid US sanctions and are fighting for their territory more than usual.
Conti first announced his attack on the finance ministry on his blog, where he publishes the names of his victims and, if they do not pay his ransom, the files he has stolen from them. A person or group dubbed unc1756 (some security companies use the abbreviation “UNC” to indicate “uncategorized” attackers) used the blog to claim responsibility for the attack. The attacker demanded $ 10 million in ransom payments, and then raised the figure to $ 20 million. When no payment was made, they began uploading 672 GB of files to the Conti website.