Second ransomware group attacks Costa Rica

Visual representation of ransomware by showing encrypted files on a display
(Image credit: Shutterstock)

Costa Rica has been hit by a ransomware attack from a second ransomware group, this time targeting its health service.

The Costa Rican Social Security Fund (CCSS) confirmed yesterday that it had suffered an attack early in the morning, although it said its databases containing information on payroll and pensions hadn’t been affected.

The CCSS said it was carrying out an analysis to try and restore critical services, but it wasn’t possible to determine when they will be operating again. As a cautionary measure, it has also taken all of its systems offline.

A notice from the CCSS stated that various internal systems were down. Only employees working from home would also be able to access Office 365 and it advised workers not to connect to its network through a VPN until it had new information on the attack.

Local employees working in the health service also said on Twitter that their printers began printing pages of ASCII-based text by themselves before the attack had been reported.

The attack appears to be carried out by the Hive ransomware group, according to journalist Brian Krebs who has seen the ransom note.

This is a different group to Conti, which had been targeting the country previously. The Conti ransomware attack forced the country to declare a state of emergency at the start of May after it emerged that it had impacted 27 government institutions. The ransomware group also threatened to overthrow the Costa Rican government after demanding that it pay $10 million in ransom.

"Although we don’t have the evidence to support the notion that Hive and Conti are working together, we can’t exclude this as a possibility," Christiaan Beek, Lead Scientist & Sr. Principal Engineer of Trellix Threat Labs, told IT Pro. "After all, Conti released a public statement announcing support for ‘smaller’ operations. Interestingly, yesterday we discovered a new Conti Linux sample and a live page on the .onion network that was supporting this campaign, which raises questions. We’ll need to wait and see how this develops.

"It’s unfortunate that we’re seeing these repeat attacks on developing countries, such as Costa Rica as we know that this type of disruption comes with serious consequences," he added. "Costa Rica appears to be a repeat target due to the amount of access attackers gained previously – potentially through a managed service provider was compromised – to the critical and government infrastructure and resulting disruption. Sadly, if criminals already the impact of their actions, they’re likely to revisit the scene of the crime."

Why did Conti attack Costa Rica?


Protecting healthcare from cybercrime

Best practices to address evolving cyber security threats


It's possible that the Conti ransomware group is slowly shutting down, according to a report from Bleeping Computer. Infrastructure is being taken offline and team leaders have been told that the brand is no more.

Research from Advintel claims that former Conti members may have migrated to Hive, shedding Conti’s name and image.

The researchers found that Conti conducted the attack on Costa Rica for publicity instead of ransom, and was organised by the group as it began restructuring itself. It was very vocal about the attack, constantly adding new political statements, and helped bring the group into the spotlight while real restructuring was taking place.

“The only goal Conti had wanted to meet with this final attack was to use the platform as a tool of publicity, performing their own death and subsequent rebirth in the most plausible way it could have been conceived,” said Advintel.

Conti has been planning the rebranding for several months. It has adopted a different structure which is formed as a coalition of several new subdivisions. Some of these are independent while others exist in another ransomware collective. They are all united, however, by internal loyalty to each other and the Conti leadership, stated the research.

The network includes two different groups. Fully autonomous groups which focus on stealing data, like Karakurt, BlackBasta, and BlackByte.

The second type is semi-autonomous, which acts as Conti-loyal collective affiliates within other collectives. This includes AlphV/BlackCat, Hive, HelloKitty/FiveHands, and AvosLocker.

Zach Marzouk

Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.