Conti cyber threat actors remain active and reported Conti ransomware attacks against US and international organizations have grown to more than 1,000. Notable attack vectors include Trickbot and Cobalt Strike. The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have noted the increased use of Conti ransomware in more than 400 attacks against US and international organizations.
This time the attack by this cybercriminal group was not directed at the USA but at a Central American country, which has the Costa Rican government against the wall. The computer attack would have been of the "Ransomware" type that restricts access to files on an infected system by encoding them and requesting money in exchange for reversing this situation.
The world found out about this attack when the communication went viral, via the criminals' Twitter.
"We ask only 10 million dollars to keep your taxpayers' data," said a post from the BetterCyber account on Twitter, concisely. The message is clear and the threat is enormous, they claim to have, to have 1 terabyte of information.
Our experts carried out an X-ray of this cybercriminal group, and after analyzing them, they concluded that ransomware is the worm that is the favorite of the group of hackers. The infiltrated and affected platforms were the TICA, used by national importers and exporters, and the ATV; site where taxpayers must file their income tax returns, sales, among other tax obligations.
Seeking to counteract what happened, the Treasury changed the date to pay taxes and asked Customs to apply a plan B to solve the situation while the leak is resolved.
Until now there is no official answer that says if the government will give in to deliver that sum or if there is another plan. What they did do was confirm the attack through a statement from the Ministry of Finance.
Before the media, the authorities gave answers that did not go beyond the information in the statement and explained that:
“Indeed, since early today (Monday, April 18, 2022) we have been facing a situation on some of our servers, which has been attended to by our staff and by external experts, who during the last few hours have tried to detect and repair the situations that are occurring”.
It was also explained that some platforms such as ATV and TICA have been "temporarily suspended, and that the services will be restarted once the teams conclude their analysis."
The Ministry reiterated that the data identified so far are of a historical nature and are used by the National Customs Service, and according to them, the seized information does not affect the operational or control actions carried out by the National Customs Service.
As he explains, the National Customs Service is precisely in a process of applying new risk methodologies with international assistance; the instruments were recently updated and modified, and the sequestered information is not part of the new methodology.
Mario Robles, a Costa Rican cybersecurity expert, explained publicly about groups like Conti that:
“It is known that in times of 'calm', they prepare attacks directed at people and very well elaborated (Spearphishing) but in the moment of Hype, they use any means to cause a sense of urgency and that is where what is happening comes in: Perimeter exploitation”, because it is the easiest to reach and the most difficult to track”.
He also said that "It is no coincidence that for this reason at WhiteJaguars we are promoting the proactive review of the perimeter in search of critical vulnerabilities that criminal groups like Conti use to penetrate the infrastructure of organizations."
And finally, he detailed that from their companies, in response, they search manually and expeditiously for the same vectors as those groups, which carry out automated reviews with commercial tools and apply the tools and scripts that they themselves develop.
The Government of Costa Rica reported this Wednesday that it continues, for the third day, under a cyberattack that has mainly affected the Ministry of Finance and assured that it will not give in to extortion from the group that has claimed responsibility for the attack.
"We are dealing with the issue with all technical rigor and at the highest level. We are facing a situation orchestrated by transnational organized crime. We are not prepared for any extortion or reward payment," the Minister of the Presidency said at a press conference. Geannina Dinarte.
The minister explained that the Government is reinforcing the protocols and preventive measures in the institutions, has launched a continuity plan so as not to suspend services and that it has the support of the private sector, friendly countries and international organizations.
The Conti group has said on the internet that on April 23 it will publish information extracted from the Ministry of Finance if the Government does not pay it $10 million.
Geannina Dinarte explained that the government is reinforcing the protocols and preventive measures in the institutions, and has launched a continuity plan so as not to suspend services and that it has the support of the private sector, friendly countries and international organizations.
The attack has forced the Ministry of Finance to disable the ATV platform, which is used for filing and paying taxes, and the TICA system, which handles the country's exports and imports.
The system for the payment of State salaries is also disabled. The head of said entity, Elián Villegas, stated that the situation "is under control" and that the systems will be offline for as long as necessary to ensure that the threat no longer exists and the systems are "clean."
Villegas assured that the payment of salaries, debt and pensions will be made without problems on the established dates, while customs will operate under a contingency plan without access to the TICA system to speed up the passage of imports and exports.