But the attack against the finance ministry was just the beginning. A timeline shared by Mora claims Conti attempted to breach different government organizations almost every day between April 18 and May 2. Local authorities, such as the Municipality of Buenos Aires, were targeted, as well as central government organizations, including the Ministry of Labor and Social Security. In some cases, Conti was successful; in others, it failed. Mora says the US, Spain, and private companies helped defend against Conti attacks, providing software and indicators of compromises related to the group. “That blocked Conti a lot,” he says. (In early May, the US posted a $10 million reward for information about Conti’s leadership.)
On May 8, Chaves started his four-year term as president and immediately declared a “national emergency” due to the ransomware attacks, calling the attackers “cyberterrorists.” Nine of the 27 targeted bodies were “very affected,” Chaves said on May 16. The MICIT, which is overseeing the response to the attacks, did not respond to questions about the progress of the recovery, despite originally offering to set up an interview.
“All the national institutions, they don’t have enough resources,” Robles says. During the recovery, he says, he has seen organizations running on legacy software, making it much harder to enable the services they provide. Some bodies, Robles says, “don’t even have a person working on cybersecurity.” Mora adds that the attacks show Latin American countries need to improve their cybersecurity resilience, introduce laws to make cyberattack reporting mandatory, and allocate more resources to protect public institutions.
But just as Costa Rica started getting a grip on the Conti attacks, another hammer blow struck. On May 31, the second attack started. The systems of the Costa Rican Social Security Fund (CCSS), which organizes health care, were taken offline, plunging the country into a new kind of disarray. This time the HIVE ransomware, which has some links to Conti, was blamed.
The attack had an immediate effect on people’s lives. Health care systems went offline and printers spewed out garbage, as first reported by security journalist Brian Krebs. Since then patients have complained of delays in getting treatment and the CCSS has warned parents whose children were undergoing surgery that they may have trouble locating their kids. The health service has also begun printing discontinued paper forms.
By June 3, CCSS had declared an “institutional emergency,” with local reports claiming that 759 of the 1,500 servers and 10,400 computers have been impacted. A spokesperson for CCSS says hospital and emergency services are now running normally and the efforts of its staff have maintained care. However, those seeking medical care have faced significant disruptions: 34,677 appointments have been rescheduled, as of June 6. (The figure is 7 percent of total appointments; the CCSS says 484,215 appointments have gone ahead.) Medical imaging, pharmacies, testing laboratories, and operating theaters are all facing some disruption.
The Death of Conti
There are questions about whether the two separate ransomware attacks against Costa Rica are linked. However, they come as the face of ransomware may be changing. In recent weeks, Russian-linked ransomware gangs have changed their tactics to avoid US sanctions and are fighting over their territory more than usual.
Conti first announced its attack on the finance ministry on its blog, where it publishes the names of its victims and, if they fail to pay its ransom, the files it has stolen from them. A person or group dubbing themselves unc1756—the “UNC” abbreviation is used by some security firms to indicate “uncategorized” attackers—used the blog to claim responsibility for the attack. The attacker demanded $10 million as a ransom payment, later upping the figure to $20 million. When no payment was made, they started uploading 672 GB of files to Conti’s website.