Costa Rica Ransomware Attack
During the course of May 2022, numerous cyber attacks were carried out against roughly 30 government agencies throughout Costa Rica.
President Alvarado’s outgoing government reported that the cyber attacks first targeted the Ministry Finance; however, after refusing to pay 10 million US dollars in ransom, additional attacks were carried out against other government offices including, but not limited to, the Ministry of Science, Technology and Telecommunications (MICITT), the Costa Rican Societal Security Fund (CCSS), the Ministry of Labor and Social Security, the Fund for Social Development and Family Allowances, and the Administrative Board of the Municipal Electricity Service of Cartago.
One key attack targeting the Ministry of Finance impacted the digital public platforms TIC@ and ATV (Virtual Tax Administration), which play a key role in collecting taxes and paying salaries. As a result, processes were shifted to manual operations, i.e., pen and paper, which resulted in bottlenecks throughout the public sector. Trade was paralyzed, citizens were unable to access online public services, private companies were unable to report earnings or charge the state for professional services, and thousands of employees went partially or entirely unpaid.
These attacks lasted for roughly one month and resulted in significant damage to the Costa Rican economy. In the first two days alone, the Costa Rican Chamber of Foreign Commerce estimated loses of over $125 million with a subsequent report of an additional $30 million in losses per additional day that the attacks continued.
The impact of these attacks caused the incoming President Chavez to declare a state of national emergency, seeking assistance from the governments of Israel and the United States, which have since aided in recovery and repair efforts.
It took almost two months following the attack for the ATV tax system to restart, only at which point employers were able to make payments. The Customs Control Information Technology (TICA) and EXONET, a platform used to manage and process tax exemption requests, were restarted at the same time.
The subsequent investigation revealed two perpetrators:
- Conti Group. A pro-Russian criminal group dedicated to carrying out ransomware attacks, stealing files and documents from servers and then demanding a ransom in exchange for not releasing the stolen sensitive information. Their primary modus operandi is to infect computers with malware, giving them easy access to targeted systems. Once the group has accessed a compromised computer, they then encrypt data and employs a double extortion ransomware strategy, known as a two-step extortion scheme. According to this scheme, large quantities of information are exfiltrated from a computer system and the targeted files are then encrypted. Once this is carried out, the attackers are then able to threaten to publicly release the data unless they are paid a ransom. Following the ransom demand in exchange for the decryption key, the group then turns to extortion whereby a small amount of data will be released under threat of releasing additional material if a ransom is not paid.
- Hive Ransomware Group. A criminal organization known for targeting public health organizations and institutions, particularly healthcare providers, energy providers, charities, and retailers across the globe. Hive uses several mechanisms to compromise business networks, including phishing messages with malicious attachments to gain access to a target computer network, extract copies of data, and then threaten to publish that data on a Tor website called HiveLeaks, unless a ransom is paid.
The attacks in Costa Rica clearly demonstrate that government institutions are not immune from cyber attacks, and that information and data systems are critical assets to any organization.
By acknowledging that critical government agencies and services are attractive targets for cyber assailants, we also understand that there is no substitute for the implementation of proper cyber protection measures, including procedures for securing critical assets and the incorporation of cyber defense into the national defense strategy.
To provide just a few recommendations, it is advisable to ensure that strong backup systems are in place to protect sensitive and classified data and information. It is also recommended to routinely check the availability of data and information in the backup system(s) as well as the ability to quickly load it onto an agency’s system in the event of an attack or other scenario whereby data, and thereby likely related services, becomes unavailable.
Click here to apply to receive our full case study analysis, including insights and recommendations.