Government-Targeted Attacks Trigger State of Emergency in Costa Rica Due to Sustained Cyberattacks

Microsoft® Windows OS
Advisory ID:
May 3, 2022


The Conti Ransomware gang has promised more government-targeted attacks after crippling Costa Rica's treasury, prompting the new leadership of President Rodrigo Chaves to declare a state of national cybersecurity emergency. In April 2022, the group carried out a ransomware attack on the Costa Rican government, severely disrupting the country's foreign trade by disrupting its customs and taxes platforms. The group has described the attack on Costa Rica's government as merely a "Demo Version," emphasizing the need for Nigeria to take proactive measures to protect itself from such attacks.

Description & Consequence

Conti is a ransomware-as-a-service (RaaS) that is thought to be controlled by a cybercrime group based in Russia. The group is known for targeting organizations where attacks could be lethal, such as hospitals, emergency number dispatch carriers, emergency medical services, and law enforcement. The group gains initial access by stealing Remote Desktop Protocol (RDP) credentials and sending phishing emails with malicious attachments. Conti also scans networks for valuable targets automatically, encrypting every file it finds and infecting all Windows operating systems. Conti behaves similarly to most ransomware, but it has been designed to be more efficient and evasive. As is the case with many modern extortion gangs. The Conti ransomware group, according to the FBI, has been responsible for hundreds of ransomware incidents over the last two years. 

In this latest attack, the Costa Rica’s government agencies affected include the Ministry of Finance; the Ministry of Labor and Social Security; the Ministry of Science, Innovation, Technology and Telecommunications; the National Meteorological Institute; the Social Development and Family Allowances Fund; the Interuniversity Headquarters of Alajuela,  among others. However, the entire scope of the damage is not known.

Following a successful attack, the group demands an extremely large ransom from their victims, making them the most expensive strain of ransomware ever documented. Conti reportedly demanded a $10 million ransom from Costa Rica's government in exchange for not releasing stolen information, which the country has so far refused to pay, prompting Conti to update its data-leak site with 97 percent of the 672 GB of data that the group claims contains information stolen from Costa Rican government agencies. Nonpayment of the ransom jeopardizes not only Costa Rica's own services, but also those of their employees and customers. According to the FBI, as of January 2022, there had been over 1,000 victims of Conti ransomware attacks across the globe, with victim payouts exceeding $150,000,000.


To help prevent future attacks like the one on Costa Rica, the United States government is offering a large reward–up to $10 million–for information leading to the identification and/or location of any of Conti Group's leaders. The US will also pay up to $5 million for information leading to the arrest or conviction of anyone involved in a Conti ransomware attack. While authorities pursue Conti, governments and organizations should take a number of steps to prevent ransomware attacks:

  1. Deploy a secure email gateway solution to provide advanced multilayered protection against the full spectrum of email-borne threats, and sandboxing to provide an added layer of protection.
  2. Deploy a web application firewall (WAF) to help protect web applications by filtering and monitoring HTTP traffic to and from a web service.
  3. Organizations must have real-time actionable intelligence to help mitigate unseen threats. This information sharing should extend to the broader cybersecurity community outside of your organization, such as Computer Emergency Response Teams (CERTs).
  4. Deployment of next-generation Endpoint Detection and Response (EDR) solutions that  deliver advanced, real-time threat intelligence, visibility, analysis, management, and protection for endpoints to protect against ransomware.
  5. Every organization should have an incident response plan in place, to ensure your business is prepared if you’re hit by a successful ransomware attack.
  6. Your organization should be able to perform backups of all your systems and data and store it off the network. These backups should also be tested to ensure you can properly recover.
  7. Apply the zero-trust security model which assumes that anyone or anything that attempts to connect to your network is a potential threat, and therefore must undergo strict identity verification before access is granted.
  8. Make sure all your employees receive substantial training on spotting and reporting suspicious cyber activity, maintaining cyber hygiene, and securing their personal devices and home networks.
  9. Organizations must also practice good basic cyber hygiene to ensure all systems are properly updated and patched.




Related Articles