Conti Ransomware Targets Costa Rican Government Entities

Fraud Management & Cybercrime
,
Ransomware

After Demand of $10 Million Ransom Is Not Met, Conti Begins Leaking Data

Mihir Bagwe •
April 21, 2022    

The Conti ransomware group, which declared support for Russia’s invasion of Ukraine, has subsequently been extremely energetic in concentrating on the U.S. and its NATO allies. But within the newest assault spree recorded on a single nation, Conti has reportedly focused no less than 5 Costa Rican authorities businesses.

See Also: Live Webinar | The Great Crypto Migration: Best Agency Practices for Mitigating Risk

The focused businesses embody the Ministry of Finance – or Ministerio de Hacienda; the Ministry of Science, Innovation, Technology and Telecommunications – or MICITT; the Instituto Meteorológico Nacional – or IMN; the Radiográfica Costarricense – or RACSA; and a Caja Costarricense de Seguro Social – or CCSS – portal. Paola Vega Castillo, the pinnacle of MICITT, confirmed this listing in a press convention held in Costa Rica on Wednesday.

According to Castillo, within the case of MICITT, solely “modification of the contents of the online web page” was carried out and no proof of data being extracted was discovered. But in case of the IMN and RACSA a “strategy of extracting e-mail archives” was detected, and the CCSS confirmed that its human assets portal had been focused, she says.

QCostaRica, an area media company, cited Minister of the Presidency Geannina Dinarte Romero, who additionally confirmed this report however dominated out any possibilities of a ransom fee to the Conti group.

Conti had demanded a $10 million ransom from the Costa Rican authorities, however since no negotiations have been initiated, the group has now begun to leak knowledge it exfiltrated through the assault, in accordance with its darkish website online.

The Biggest Victim

The first and possibly the biggest company affected is Costa Rica’s Ministry of Finance, primarily based on the quantity of knowledge exfiltrated, in accordance with Conti’s submit.

#Conti‘s newest replace on the cyberattack in opposition to Costa Rica’s Ministerio de Hacienda

“If the ministry can not clarify to its tax payers what’s going on, we’ll do it 1) we now have penetrated their important infrastructure, gained entry to about 800 servers, …”pic.twitter.com/wp2Y8UeGGN

— BetterCyber (@_bettercyber_) April 20, 2022

In the submit revealed by the ransomware group on its title and disgrace web site “Conti News,” the group says that it has gained entry to about 800 servers from which practically 1TB price of knowledge has been exfiltrated, together with 900GB of Tax Administration Portal – or ATV – databases, within the MSSQL mdf format, and 100GB of inner paperwork containing full names and e-mail addresses of these within the Ministry of Finance.

On Wednesday, the Conti group added an replace to the identical submit, stating it had entry to 2 different e-mail server information of two extra Costa Rican entities. The group additionally claimed to have applied numerous backdoors in numerous public ministries and personal firms and pledged to proceed to assault the ministries of Costa Rica till its authorities paid them, in accordance with the replace.

In the late hours of Wednesday, Conti News added 4 compressed information with info supposedly extracted from the sufferer’s techniques that features greater than 10GB of data out there for obtain.

The Ministry’s Response

The Ministry of Finance stated in an extensive Twitter thread that within the early hours of Monday, April 18, it started to have issues in a few of its servers and that since then, it has been investigating and analyzing in depth what had occurred. Meanwhile, it briefly suspended the ATV and TICA – Tax and Customs – platforms and stated they are going to be out there once more after the evaluation is accomplished.

The knowledge uncovered/leaked by the attackers corresponds to the General Directorate of Customs and is used as enter and assist, however it isn’t of any historic nature, the ministry says within the Twitter thread.

After the preliminary announcement by Conti and the following affirmation by the ministry in regards to the incident, the group focused the positioning of the Ministry of Science and Technology to publish a message that claims: “We say howdy from Conti, search for us inside your community.”

At the time of this writing, Information Security Media Group discovered all of the focused web sites nonetheless down and primarily based on the Twitter posts of the Ministry of Finance, it seems that even the ATV and TICA portals are offline as their IT groups try to resolve the difficulty together with the assistance of exterior stakeholders.

“So far, Spain, the United States, Israel, Microsoft and GBM, the main IT providers firm in Central America and the Caribbean, have supplied their assist to the nation to regain management of Treasury platforms,” Dinarte Romero stated in her press convention.

Latest Victims

The Conti group has already claimed entry to an intensive authorities community by backdoors it says it positioned in them. It additionally says that it’ll not cease its operations till the ransom is paid, and right this moment the group added one other two authorities entities – the Social Development Fund and Family Allowances, or Fondo de Desarrollo Social y Asignaciones Familiares or FODESAF, and the Ministry of Labor and Social Security, or Ministerio de Trabajo y Seguridad Social or MTSS – to the already-long listing of focused Costa Rican authorities entities.

#Conti continues the cyberattack in opposition to Costa Rica, allegedly compromising the Fondo de Desarrollo Social y Asignaciones Familiares (FODESAF) and Ministerio de Trabajo y Seguridad Social (MTSS)…#Ransomware #RansomwareGroup pic.twitter.com/pmbQIog12I

— BetterCyber (@_bettercyber_) April 21, 2022

At the time of writing, the 2 web sites, fodesaf.go.cr and mtss.go.cr, which look like subdomains of the principle authorities web site, have been nonetheless on-line and didn’t show any messages from Conti group, as was seen within the case of the MICITT web site.

The group has additionally revealed extra knowledge – roughly 24GB – allegedly belonging to the Costa Rican Ministry of Finance, in accordance with an up to date submit on Conti’s darkish website online Conti News. This takes the whole revealed knowledge depend to 6 information containing 39.77GB of knowledge.

Jorge Mora, director of digital governance at MICITT, stated in a press convention Wednesday that aside from the evaluation of the present scenario, prevention processes and mitigation measures are being developed., and alerts are being issued to different establishments in order that they’re additional ready for such occasions,.

“We are within the strategy of figuring out dangers in different establishments in order that the groups can attend to them in a preventive method,” Mora stated.

Conti Turns to Linux-Based VMs

As Costa Rica reels from Conti’s repeated breaches, the group additionally appears to be sharpening its abilities, in accordance with analysis from Trellix that claims the Russian ransomware group has now turned its consideration to ESXi Hypervisors with its Linux-based variant.

“On April 4, 2022, we detected a pattern uploaded, which triggered our threat-hunting guidelines. Upon additional investigation, we decided the file is a Conti variant compiled for the Linux working system concentrating on ESXi servers. Although the ESXi model of Conti is just not new and has already been mentioned, that is the primary public pattern we now have seen within the wild,” the researchers say.

Following the leak of a number of years’ price of inner messages and Conti’s playbook in 2021, the researchers at Trellix have offered a technical evaluation of the not too long ago detected Linux variant of Conti ransomware, in a technical blog.