In the wake of a massive ransomware attack on the Costa Rican government in April, the US government last week issued an announcement announcing a bounty potentially worth millions of dollars to people involved in the Conti ransomware associated with the hack has been used. Rodrigo Chaves Robles, the recently sworn in president of Costa Rica, has declared a national emergency over the attack. CyberScoop†
According to BleepingComputer, the ransomware attack affected the ministries of Finance and Labor and Social Security of Costa Rica, as well as the Social Development and Family Benefits Fund. The report also says the attack hit some departments of the country’s treasury from April 18. Not only have hackers taken down some of the government’s systems, but they are also leaking data CyberScoopnoting that nearly 700GB of data landed on Conti’s site.
The US State Department says the attack “seriously affected the country’s foreign trade by disrupting customs and tax platforms” and is offering “up to $10 million for information leading to the identification and/or location” of the organizers behind Conti. The US government is also offering $5 million for information “leading to the arrest and/or conviction of a person in a country who conspires to participate in or attempts to participate” in a Conti-based ransomware attack.
Last year, the US offered similar bounties on REvil and DarkSide (the group behind the colonial pipeline attack). REvil is largely considered shut down after the US reportedly hacked into the group’s servers and the Russian government claimed to have arrested several members.
The Costa Rican government is not the only entity to fall victim to Conti’s ransomware. if Krebs on security notes that the group is especially notorious for targeting healthcare facilities such as hospitals and research centers.
The gang is also known for having its chat logs leaked after declaring full support for the Russian government shortly after the invasion of Ukraine began. According to CNBC, those logs showed that the group behind the ransomware itself had organizational problems: people were not paid and arrests were made. However, like many ransomware operators, the actual software was also used by “affiliates” or other entities who used it to carry out their own attacks.
In the case of Costa Rica, the attacker claims to be one of these affiliates and says they are not part of a bigger team or government, according to a report from CyberScoop† However, they have threatened “serious” attacks, calling Costa Rica a “demo version”.