2022 Costa Rican ransomware attack

Beginning on the night (UTC-6:00) of April 17, 2022, a ransomware attack began against nearly 30 institutions of the government of Costa Rica, including its Ministry of Finance, the Ministry of Science, Innovation, Technology and Telecommunications (MICITT), the National Meteorological Institute, state internet service provider RACSA, the Costa Rican Social Security Fund (Caja Costarricense de Seguro Social, CCSS), the Ministry of Labor and Social Security (Costa Rica), the Fund for Social Development and Family Allowances, and the Administrative Board of the Municipal Electricity Service of Cartago.

The pro-Russian Conti Group claimed the first group of attacks and demanded a US$10 million ransom in exchange for not releasing the information stolen from the Ministry of Finance, which could include sensitive information such as citizens' tax returns and companies operating in Costa Rica.

As a consequence, the government had to shut down the computer systems used to declare taxes and for the control and management of imports and exports, causing losses to the productive sector on the order of US$30 million per day. Likewise, the web pages of the Ministry of Science, Innovation, Technology and Telecommunications were removed from the network.

Costa Rica required technical assistance from the United States, Israel, Spain, and Microsoft, among others, to deal with the cyber attack. The attack consisted of infections of computer systems with ransomware, defacement of web pages, theft of email files and attacks on the Social Security human resources portal, as well as on its official Twitter account.

On May 6, 2022, the United States government through the FBI offered a US$10 million reward for information leading to the identification of a person or persons in a leadership position within the Conti Group, and an additional US$5 million for information leading to the capture or conviction, in any country, of individuals who aided or conspired to carry out Conti ransomware attacks.

On May 8, 2022, the new president of Costa Rica, Rodrigo Chaves Robles, decreed a state of national emergency due to cyber attacks, considering them an act of terrorism. Days later, at a press conference, he stated that the country was in a state of war and that there was evidence that people inside Costa Rica were helping Conti, calling them "traitors" and "filibusters".

On May 31, 2022, at dawn, the Hive Ransomware Group carried out an attack against the Costa Rican Social Security Fund, forcing the institution to turn off all of its critical systems, including the Unique Digital Health File and the Centralized Collection System. The former stores sensitive medical information of patients using Social Security, while the latter is used to collect the population's insurance fees.

Conti Group
Conti Group is a criminal organization dedicated to carrying out ransomware attacks, stealing files and documents from servers and then demanding a ransom. Its modus operandi is to infect computers with the Conti malware, which operates with up to 32 individual logical threads, making it much faster than most viruses of its kind.

The oldest member is known by the aliases Stern or Demon and acts as CEO. Another member known as Mango acts as the general manager and communicates frequently with Stern. Mango told Stern in a message that there were 62 people on the core team. The numbers of people involved fluctuate, reaching up to 100. Due to the constant turnover of members, the group recruits new members through legitimate job recruitment sites and hacker sites.

Ordinary programmers earn $1,500 to $2,000 per month, and members who negotiate ransom payments can take a cut of the profits. In April 2021, a member of the Conti Group claimed to have an anonymous journalist take a 5% cut of ransomware payments by pressuring victims to pay.

During the Russian invasion of Ukraine of 2022, the Conti Group announced its support for Russia and threatened to implement "retaliatory measures" if cyber-attacks were launched against the country. As a result, an anonymous person leaked approximately 60,000 internal chat log messages along with source code and other files used by the group.

Opinions expressed in the leaks include support for Vladimir Putin, Vladimir Zhirinovsky, and antisemitism (including towards Volodymyr Zelensky). A member known as Patrick repeated several false claims made by Putin about Ukraine. Patrick lives in Australia and may be a Russian citizen. Messages containing homophobia, misogyny and references to child abuse were also found.

Conti has been responsible for hundreds of ransomware incidents since 2020. The FBI estimates that, as of January 2022, there were more than 1,000 victims of attacks associated with Conti ransomware with victim payouts exceeding $150 million, making Conti's the most damaging ransomware strain ever documented.

Days after the FBI's announcement, Conti announced that they would begin a shutdown process. Some of the Conti members migrated to smaller organizations like Hive, HelloKitty, AvosLocker, BlackCat, and BlackByteo; others founded groups of their own.

Hive Ransomware Group
Hive ransomware group is a criminal organization known for attacking public health organizations and institutions, particularly hospitals and clinics. It first appeared in June 2021.

Bleeping Computer LLC reported that some of the Conti hackers migrated to other ransomware gangs, including Hive though the rival group has denied having any connection with Conti, despite that, once the process of closing operations began and its hackers reached Hive, it then began to employ the tactic of publishing leaked data on the deep web, just as Conti had. AdvIntel expert Yelisey Boguslavskiy identified, with a high level of certainty, that Conti had been working with Hive since at least November 2021. According to her information, Hive was actively using the initial attack access provided by Conti. Unlike the Conti Group, Hive is not associated with direct support for the Russian invasion of Ukraine, even though the ransom payment to Hive is likely to be received by the same people within Conti who claimed the group's collective alignment with the Russian government.

In July 2022, the FBI infiltrated Hive. Undercover Tampa, Florida Field Office agents acquired full access and acted as a subsidiary in the Hive network undetected for seven months, while gathering evidence and secretly generating decryption keys for victims to recover their data. in January 2023, the United States Department of Justice announced that they had dismantled Hive by seizing the group's servers, in coordination with Germany and the Netherlands.

Conti Group attack
The servers of the Ministry of Finance were the first to be compromised during the night of Sunday, April 17. The Conti Group had compromised credentials, which allowed it to install malware on one device in the Ministry of Finance network. The BetterCyber Twitter account was the first to replicate, the next day, the post on the Conti Group forum that reported the hacking of the government institution, indicating that 1 terabyte of information had been stolen from the Virtual Tax Administration (ATV) platform, used by the government for citizens and companies to file their tax returns. In turn, the publication indicated that the data would begin to be published on April 23.

Before 10 a.m. on April 18, the Ministry of Finance informed through a press release and through its social networks that, "due to technical problems", the ATV platform and the Customs Information System (TICA) had been disabled and that the deadline for filing and paying taxes that were due that day would be extended until the next business day after the systems were restored. The institution did not immediately acknowledge being hacked and initially refused to answer questions from the press about the Conti Group claim.

The next day, Conti Group posted a new post on their forum announcing that they were asking for US$10 million in ransom for the stolen information. The Ministry of Finance confirmed that the information published so far corresponded to information from the National Customs Service, used for supplies and support. "In relation to the communications that have been detected on social networks, and classified as hacking, the Ministry of Finance communicates the following:

Indeed, since early today we have been facing a situation in some of our servers, which has been attended by our staff and by external experts, who during the last few hours have tried to detect and repair the situations that are occurring.

This Ministry has made the decision to allow the investigation teams to carry out an in-depth analysis of the information systems, for which it has made the decision to temporarily suspend some platforms such as ATV and TICA, and services will be restarted once the teams complete their analyses.

In the last few hours, the exposure of some of the data belonging to the General Directorate of Customs has been detected, which is carrying out the information investigation processes, as established in the response plan.

The data identified so far are of a historical nature and are used by the National Customs Service as inputs and support." Hours after the Treasury statement, the microsite of the Ministry of Science, Innovation, Technology and Telecommunications suffered a defacement with a message reading, "We greet you from Conti, look for us on your network."

Jorge Mora Flores, director of Digital Governance of Costa Rica, indicated that as a result of the attack, and because the affected server hosts other pages, the decision was made to turn it off while checks were carried out to determine to what extent security was breached. Subsequently, an update on the Conti Group forum indicated that the attacks against Costa Rican ministries would continue "until the government pays us".

Hours later, Conti attacked an email server of the National Meteorological Institute, stealing the information contained therein. Conti stated that the scenario that Costa Rica was experiencing was a "beta version of a global cyber attack on an entire country". Later, in another update on their forum, they indicated that if the Ministry of Finance did not inform their taxpayers of what was happening, they would carry out additional actions: "If the minister cannot explain to his taxpayers what is going on, we will: 1) have penetrated his critical infrastructure, gained access to over 800 servers, downloaded over 900 GB of databases and over 100 GB of internal documents, databases in the MSSQL mdf format, there is more than just the email, first name, last name... If the minister considers that this information is not confidential, we will publish it. The leak problem is not the Ministry's main problem, their backups were also encrypted, 70% of their infrastructure will probably not be able to be restored and we have backdoors in a large number of their ministries and private companies. We ask for a significantly small amount of what you will spend in the future. Their export business is already in trouble and they've already lost the $10 million they could have paid us." Later that day, the Costa Rican government denied having received a ransom request, despite Conti Group's forum post regarding the US$10 million. On April 20, Conti published an additional 5 GB of information stolen from the Ministry of Finance. In the afternoon, the Government called a press conference at the Presidential House where it argued that the situation was under control, and that in addition to the Treasury, MICITT and the IMN, Radiografía Costarricense S.A. (RACSA), a state internet service provider, had been attacked through an internal email server breach. In the meantime, the Costa Rican Social Security Fund reported having suffered a cyber attack on its human resources site, which was being combated. Conti Group did not claim responsibility for the attack, since the Fund reported hours later that no sensitive information was stolen from the insured, such as their medical history or contributions to pension or health insurance, and that the databases had been left behind intact.

The Minister of the Presidency, Geannina Dinarte Romero, indicated that this was a case of international organized crime and that the Government of Costa Rica would not pay any ransom. She also announced that they were receiving technical assistance from the governments of the United States, Israel and Spain, as well as from Microsoft, which operated the servers of the Ministry of Finance.

Early on April 21, Conti Group attacked the servers of the Ministry of Labor and Social Security, as well as the Social Development and Family Allowances Fund. The preliminary report of the government indicated that information such as emails and data on pension payments and social aid from both institutions was stolen. Likewise, the group offered a 35% discount on the amount of the ransom demanded if the Government of Costa Rica made a prompt payment. Before noon, the Ministry of Science, Innovation, Technology and Telecommunications held a press conference where the Government reiterated its position of not paying the ransom demanded by the Conti Group, for which hours later the criminal group announced that it would immediately begin publishing the stolen information, urging Costa Rican cybercriminals to take advantage of it to commit phishing. President Carlos Alvarado Quesada gave his first public statement on the hack that day. "I reiterate that the Costa Rican State WILL NOT PAY ANYTHING to these cybercriminals. But my opinion is that this attack is not a matter of money, but rather seeks to threaten the stability of the country, in a situation of transition. This they will not do. As we have always done, each person on this earth will do their part to defend Costa Rica." In the afternoon, the Government issued a directive addressed to the public sector in order to protect the proper functioning, confidentiality and cybersecurity of public institutions. The document provides that, in the event of any situation that affects the confidentiality, availability and integrity of services available to the public, the continuity of institutional functions, or the identity theft of the institution on social networks—even those that within the institution are considered to be under control—the Computer Security Incident Response Center (CSIRT-CR) must be informed of the event. In addition, agencies are required to back up information regarding the incident for use in investigations. Likewise, institutions must carry out maintenance of their telecommunications infrastructure—whether through public employees or private contractors—including regular updates of institutional systems, changing passwords of all institutional systems and networks, disabling unnecessary services and ports, and monitoring network infrastructure, as well as taking heed of alerts from the CSIRT-CR. The guideline also orders a vulnerability scan to be carried out at least twice a year on the official websites of the government of Costa Rica.

On the morning of April 22, the government reported that no new Conti Group attacks against the country had been recorded since the previous day. However, the director of Digital Governance, Jorge Mora, explained that since Monday, when they began to take preventive measures in state institutions, they have detected 35,000 malware communication requests, 9,900 phishing incidents, 60,000 attempts to take remote control of IT systems, and 60,000 attempts to mine cryptocurrencies using the computer infrastructure of the first 100 state institutions intervened.

On April 23, the Conti Group attacked the Administrative Board of the Municipal Electrical Service of Cartago, the public company in charge of electricity supply in the province of Cartago. Jorge Mora Flores reported that day that subscriber information could have been compromised; the next day, he reported that the institution's accounting and human resources information was encrypted as part of the attack.

On April 25, Conti announced that it would shift its strategy from attacking state institutions to focus on large companies in the private sector; in addition, it would stop announcing its hacks on its deep web page to focus on requesting ransoms for stolen and encrypted information.

On April 26, the MICITT reported that the website of the Sede Interuniversitaria de Alajuela, a multi-university campus, was attacked; in addition, there was an attempt to breach the servers of the Instituto de Desarrollo Rural (Rural Development Institute), which was effectively repelled. On April 29, the government reported a hacking attempt to the Ministry of Economy, Industry and Commerce and a day later against the National Liquor Factory and the municipalities of Turrialba and Golfito.

On May 2, another hacking attempt was reported at the Ministry of Justice and Peace (MJP), although it was rebuffed. The next day, unsuccessful cyberattacks were reported on the municipalities of Garabito and Alajuelita, as well as on the San José Social Protection Board, a national charitable organization that administers the country's national lottery.

On May 4, MICITT reported hacking attempts to the National Education Loan Commission and one more to the Cartago University College (CUC), although the latter was not Conti's responsibility.

Nearly two months after the original attack, on June 11, the Ministry of Finance announced that the ATV tax system would be restarted on June 13 so that Costa Ricans could make their payments. On June 24, two other systems disabled by Conti attacks were restored: TICA (Tecnología de Información para el Control Aduanero, Customs Control Information Technology) and Exonet, a platform used to manage and process tax exemption requests.

Hive Ransomware Group attack
On May 31 at two in the morning (UTC-6:00), the Costa Rican Social Security Fund (CCSS) detected anomalous information flows in its systems and began to receive reports from different hospitals of unusual behavior in various computers; it immediately proceeded to turn off all its critical systems, including the Single Digital Health File (Expediente Digital Único en Salud, EDUS) and the Centralized Collection System. Some printers in the institution printed messages with random codes or characters, while others printed default instructions from the Hive Ransomware Group on how to regain access to systems.

In a press conference before noon, CCSS officials described the attack as "exceptionally violent" and detailed that the first incidents were recorded at the San Vicente de Paul Hospital, in the province of Heredia and then in the Hospital of Liberia, province of Guanacaste; from there, attacks were carried out on the hospitals of the Greater Metropolitan Area. The president of the CCSS, Álvaro Ramos Chaves, affirmed that databases with sensitive information were not compromised but noted that at least thirty servers (of the more than 1,500 that the institution has) were contaminated with ransomware. He added that they had a plan to restore the systems, but that it would take time because each piece of equipment had to be reviewed to ensure hackers no longer had access.

As a consequence, a number of insured persons saw their medical appointments cancelled. The CCSS medical centers had to resort to running on paper, as the digital backup system, the Digital File in a Contingency Environment (Expediente Digital en Ambiente de Contingencia, EDAC), was also taken down as a security measure, a situation that could remain that way for an indefinite period. Medical facilities were left without access to the EDUS, EDAC, and such systems including the hospital occupancy control system (ARCA) and billing. Financial areas of the CCSS were unable to use systems including the Centralized Collection System (SICERE), the Disability Control and Payment Registry (RCPI), and the Integrated Voucher System (SICO). Offices and administrative areas were unable to use computers; teleworkers could only access Office 365 (Word, Excel, PowerPoint, Outlook, and Teams).

In total, on the first day of effects from the cyberattack, 4,871 users missed their medical appointments, with another 12,000 missing appointments the next day. The CCSS reported that the laboratory service was the most affected, with only 45 percent operating normally and 48 percent partially affected. A review of 108 health establishments showed that 96% of hospital services operated with a contingency plan, 18% of outpatient consultations were partially affected, 19% of radiology and medical imaging services were partially affected, and 37% of pharmacy services were affected.

On June 1, during a press conference at the Presidential Palace, the executive president of the CCSS, Álvaro Ramos Chaves, announced the opening of an administrative investigation against the agency's Information Technology Department for the hack, to determine if there was negligence. President Chaves Robles noted that fewer than 15 CCSS computers had the microCLAUDIA system donated by Spain installed after the Conti attacks. Ramos Chaves also revealed that the effects of the attack were 27 times greater than what was reported on the first day: more than 800 servers and 9,000 end-user computers were affected, making it impossible to restore all systems within a week as initially planned.

On June 2, the Hive Ransomware Group requested $5 million in bitcoin so that the CCSS could get its services back.

On June 4, the Superintendency of Pensions (SUPEN) announced the suspension until further notice of the possibility of freely transferring complementary pension funds between the different operators, since this required one of the CCSS systems that was affected by the hack.

Given the fall of its systems for reporting payroll and payment of social contributions, the CCSS had to extend until June 10 the deadline for employers to submit the payroll corresponding to the month of May. Likewise, it announced that self-employed and voluntary insured workers would not be able to pay their monthly installments due to the impossibility of making the corresponding invoice. The pension scheme for Disability, Old Age and Death (IVM) had to enable bank accounts and specific email accounts so that people with mortgage loans could pay their monthly payments and report the installments. Likewise, 163 health establishments of the CCSS set up telephone lines for the population to answer questions regarding the continuity of services and the status of their medical appointments.

Declaration of emergency
On April 22, the then president-elect of Costa Rica, Rodrigo Chaves Robles, announced his intention to declare a national state of emergency once he assumed power due to the cyberattacks against the country's public sector.

On May 3, the Costa Rican Chamber of Industries (CICR), the National Chamber of Freight Carriers (CANATRAC), the Costa Rican Chamber of Foreign Trade (CRECEX), the Chamber of Fiscal and General Deposit Warehouses (CAMALFI), the Costa Rican Chamber of Shippers (NAVE), the Chamber of Exporters of Costa Rica (CADEXCO) and the Association of Customs Agents (AAACR) requested to declare a state of emergency due to the situation of the country's customs as a result of the Conti hack; they warned that within a few days, if the situation did not improve, Costa Rica could face a paralysis of international trade due to the accumulation of cargo containers, since Customs had to carry out procedures on paper, raising the wait to three or even four days to receive approval to move the containers.

On May 8, upon assuming power, Chaves Robles signed Executive Decree No. 43542-MP-MICITT, declaring a state of national emergency due to cyberattacks against the public sector in Costa Rica and ordered the Presidency of the Republic to take control of the coordination of the national response, in lieu of the National Emergency Commission (Costa Rica), which by law manages situations of declared national emergency.

On May 16, President Chaves affirmed that the country was in a state of war due to Conti's hacks and denounced that there were nationals helping the "terrorist group" that the previous weekend had threatened to overthrow the newly elected government. "We don't know, we don't have information about who is paying us taxes correctly and incorrectly. There is a huge impact on the international trade process since the Customs TICA system is not working. We don't know how the country's budget execution is progressing: Costa Rica doesn't know how much of the budget each person is spending, whether we are going to pay ourselves or not. We are paying salaries almost blindly based on previous payrolls, which represents a huge challenge for the future. What happens if someone surpasses you due to an extraordinary staff and we are repeating the same payroll? There are people who are being paid less by the State than they should be for using old forms. This represents a huge risk because the systems are not flexible to recover excess payments. We have 27 institutions attacked and 9 institutions very affected, including the Ministry of Finance, which is the one that receives the income and makes the expenses of the State. They want to drown us through the financial system of the State's public finances." The next day, dozens of workers from the Ministry of Public Education (Costa Rica) (MEP) took to the streets to protest the non-payment of their salaries— payments less than what was due, among other problems related to the impossibility of updating the state payroll due to the hack. The MEP estimated that 16,000 workers were affected, of whom 3,000 did not receive any payments at all. The Ministry of Finance, as a contingency measure, provided a tool that had to be filled out by hand to update employee payments.

On May 21, due to new protests, the unions negotiated with the government, which promised to pay the amounts owed and subsequently recover any sums overpaid to the workers. On May 27, the Constitutional Chamber of the Supreme Court of Justice upheld more than 200 recursos de amparo filed against the state by MEP workers affected in the payment of their salaries and ordered contingency measures to reconcile payments within a month. On May 30, the government announced that the MEP and the Finance Ministry had paid more than ₡6 billion colones as an extraordinary payroll corresponding to 25,618 movements pending cancellation due to the hack.

Impact
This set of attacks drew attention to Latin America's lagging cybersecurity infrastructure. In 2020, 12 countries in Latin America had a national cybersecurity strategy; by July 2023, 20 countries had one.