The Costa Rican government declared a state of emergency on May 8, following cyberattacks by the Russian Conti ransomware gang “on more than 20 public institutions and more than a dozen high-profile private institutions,” Esteban Jiménez, chief technology officer of the Costa Rican cybersecurity firm Atticyber, told Diálogo.
The Ministry of Finance’s digital services have been down since April 18. The attacks, for which Conti claimed responsibility, have impacted customs and tax collection systems, generating losses and damages and increasing future risks for the assets of the community, as well as for the fundamental right to privacy of individuals, the Costa Rican government said.
“[We] continue to get attacks on other institutions’ different databases,” the government added. “We are facing a situation of disaster, public calamity, and internal commotion.”
Other public agencies affected include the Ministry of Labor and Social Security; the National Meteorological Institute; and the Ministry of Science, Innovation, Technology, and Telecommunications.
The Russian group initially demanded a $10 million ransom from the Costa Rican government in exchange for not releasing stolen information from the Ministry of Finance, reported newspaper Costa Rica Hoy. The government declined to pay, resulting in Conti leaking extracted documents and data on its site.

On May 16, the group upped its threat, saying its goal is now to overthrow the Costa Rican government, and increased its ransom to $20 million.
Military weapon
“The development of its main software comes from funding from the Russian government. It’s a military weapon […] that […] these groups use,” Jiménez said. “The software weapons used in recent months in Costa Rica are variants of many of the attack packages obtained and studied, from infections in Ukraine and the United States.”
Conti, based in Russia, relies on salaried hackers to breach government or commercial websites, steal information or encrypt them. If affected entities pay ransom to recover their stolen data the money is shared as a bonus, the Central América news site reported.
Preparation for the hack can take between six months to a year. Once inside the system the group devises a series of attack targets. In this case “Costa Rica is an open ally of the United States, of interest to the Conti group because it is an adversary,” said Jiménez. “The infection started between the end of January and the beginning of February.”
In February, Conti threatened to attack the Kremlin’s enemies if they responded to the invasion of Ukraine, the magazine América Economía reported. This group remains very active in Latin America, modifying its technologies and tools to evade organizations’ defenses and earn more revenue.
Reward
According to the FBI’s Internet Crime Report 2021, Conti’s malware was among the top three variants that assaulted U.S. critical infrastructure, attacking the manufacturing, financial, technology, food and construction sectors.
The Russian gang has been responsible for hundreds of ransomware incidents over the past two years. The FBI estimates that as of January 2022, there has been more than 1,000 victims of attacks associated with Conti, with payouts of more than $150 million. It is the costliest strain of ransomware ever documented, the U.S. Department of State said on May 6.
Following the Costa Rica attack, the United States offered a reward of up to $10 million for information leading to the identification or location of key leaders of the Conti criminal group, and up to $5 million for information leading to their arrest and/or conviction.
“In offering this reward, the United States demonstrates its commitment to protecting potential ransomware victims around the world from exploitation by cybercriminals,” the U.S. Department of State said. “We look to partner with nations willing to bring justice for those victims affected by ransomware.”
Defense strategy
“In the national emergency, Costa Rica must focus on a coordinated defense strategy,” Jiménez said. “In principle, provide public institutions in the very short term with new policies, procedures, and controls, to verify their technological platform.”
To prevent and respond to an eventual cyberattack in the coming weeks or months, Jiménez said, Costa Rican authorities are focusing on international support, mainly in training public agencies.
In addition, “Costa Rica and its different security agencies are receiving from allied countries such as the United States, Israel, and Spain, [weekly] indicators of commitment and prevention, related to attacks or trends observed at the regional level, to warn their institutions,” Jiménez concluded.