IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Second ransomware group attacks Costa Rica

The country’s health service has had its systems affected by the new attack

Costa Rica has been hit by a ransomware attack from a second ransomware group, this time targeting its health service.

The Costa Rican Social Security Fund (CCSS) confirmed yesterday that it had suffered an attack early in the morning, although it said its databases containing information on payroll and pensions hadn’t been affected.

The CCSS said it was carrying out an analysis to try and restore critical services, but it wasn’t possible to determine when they will be operating again. As a cautionary measure, it has also taken all of its systems offline.

A notice from the CCSS stated that various internal systems were down. Only employees working from home would also be able to access Office 365 and it advised workers not to connect to its network through a VPN until it had new information on the attack.

Local employees working in the health service also said on Twitter that their printers began printing pages of ASCII-based text by themselves before the attack had been reported.

The attack appears to be carried out by the Hive ransomware group, according to journalist Brian Krebs who has seen the ransom note. 

This is a different group to Conti, which had been targeting the country previously. The Conti ransomware attack forced the country to declare a state of emergency at the start of May after it emerged that it had impacted 27 government institutions. The ransomware group also threatened to overthrow the Costa Rican government after demanding that it pay $10 million in ransom.

"Although we don’t have the evidence to support the notion that Hive and Conti are working together, we can’t exclude this as a possibility," Christiaan Beek, Lead Scientist & Sr. Principal Engineer of Trellix Threat Labs, told IT Pro. "After all, Conti released a public statement announcing support for ‘smaller’ operations. Interestingly, yesterday we discovered a new Conti Linux sample and a live page on the .onion network that was supporting this campaign, which raises questions. We’ll need to wait and see how this develops.

"It’s unfortunate that we’re seeing these repeat attacks on developing countries, such as Costa Rica as we know that this type of disruption comes with serious consequences," he added. "Costa Rica appears to be a repeat target due to the amount of access attackers gained previously – potentially through a managed service provider was compromised – to the critical and government infrastructure and resulting disruption. Sadly, if criminals already the impact of their actions, they’re likely to revisit the scene of the crime."

Why did Conti attack Costa Rica?

Related Resource

Protecting healthcare from cybercrime

Best practices to address evolving cyber security threats

Whitepaper cover with title and image of healthcare professionals in white coats and latex gloves looking at a tablet in a labFree Download

It's possible that the Conti ransomware group is slowly shutting down, according to a report from Bleeping Computer. Infrastructure is being taken offline and team leaders have been told that the brand is no more.

Research from Advintel claims that former Conti members may have migrated to Hive, shedding Conti’s name and image. 

The researchers found that Conti conducted the attack on Costa Rica for publicity instead of ransom, and was organised by the group as it began restructuring itself. It was very vocal about the attack, constantly adding new political statements, and helped bring the group into the spotlight while real restructuring was taking place.

“The only goal Conti had wanted to meet with this final attack was to use the platform as a tool of publicity, performing their own death and subsequent rebirth in the most plausible way it could have been conceived,” said Advintel.

Conti has been planning the rebranding for several months. It has adopted a different structure which is formed as a coalition of several new subdivisions. Some of these are independent while others exist in another ransomware collective. They are all united, however, by internal loyalty to each other and the Conti leadership, stated the research.

The network includes two different groups. Fully autonomous groups which focus on stealing data, like Karakurt, BlackBasta, and BlackByte.

The second type is semi-autonomous, which acts as Conti-loyal collective affiliates within other collectives. This includes AlphV/BlackCat, Hive, HelloKitty/FiveHands, and AvosLocker.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Government competition promises £12 million fund for UK tech startups
Business strategy

Government competition promises £12 million fund for UK tech startups

28 Jun 2022
New health data strategy to consult public on NHS data use
public sector

New health data strategy to consult public on NHS data use

13 Jun 2022
Ransomware group Conti threatens to overthrow Costa Rican government
ransomware

Ransomware group Conti threatens to overthrow Costa Rican government

17 May 2022
UK plan to abandon big tech regulator powers “makes no sense”
Policy & legislation

UK plan to abandon big tech regulator powers “makes no sense”

3 May 2022

Most Popular

Salaries for the least popular programming languages surge as much as 44%
Development

Salaries for the least popular programming languages surge as much as 44%

23 Jun 2022
The UK's best cities for tech workers in 2022
Business strategy

The UK's best cities for tech workers in 2022

24 Jun 2022
LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022