Aamir Lakhani, with FortiGuard Labs, answers the question; Why is the Conti ransomware gang targeting people and businesses in Costa Rica?
Any time conflict erupts, people tend to take sides, even when it comes to cybercrime. Since the beginning of the ongoing Russian-Ukrainian war, some bad actors have made their alliances known publicly.
The Conti Ransomware-as-a-Service (RaaS) group is one of the most notable – declaring in February that they were backing Russia and would use their arsenal accordingly.
Their latest target seems to be the entire country of Costa Rica, which expressed its opposition to the Russian invasion. This begs the question: Should other countries be concerned? Why is this happening now, and what does it portend?
The Rise of Conti
The Conti ransomware group is behind many prominent attacks, including the one that took down the Irish healthcare service in May 2021. Conti was also ranked by the FBI (PDF) as the top ransomware variant targeting critical infrastructure in 2021. The bureau identified at least 16 attacks by Conti ransomware against U.S. healthcare and First Responder networks, including emergency medical services, law enforcement agencies and 9-1-1 dispatch centers last year.
Last year, Conti’s internal chat logs were leaked – essentially, their playbook was made public. And more internal records leaked earlier this year showed the group was essentially operating like a company. These documents – ironically leaked in retaliation for Conti’s pro-Russia stance – showed that the ransomware ring has a human resources department, offers bonuses and even names an employee of the month.
And since then, what we’re seeing and hearing seems to indicate that Conti is trying to overcome these reputational setbacks by setting out to prove they are legitimate, sophisticated and still very relevant. We’re seeing this in terms of how they recruit, too – going after other threat actors and holding, essentially, recruitment events not that different from what you might expect from big Silicon Valley companies (though obviously a bit more underground).
While we don’t think they’re a nation-state actor, they’ve certainly made their affiliation well-known and are acting accordingly. That said, the driving factor still always comes back down to money. and they’re trying to make sure they stay on top.
The Evolution of Ransomware
The attack on Costa Rica has cost the nation millions of dollars. Tax payments were disrupted and staff at the 27 affected government agencies had to revert to pen and paper as their computers remained useless. With this attack, there’s evidence that this is essentially an attempt by Conti to “rebrand” – with news coming not long after the attack that Conti was shutting down in its current form.
But the big takeaway here is – what do attacks like the one against an entire nation say about how ransomware is evolving? For one thing, while money is still obviously the driving factor, we’re seeing that notoriety and “fame-seeking” also plays a role. Conti has been direct in its desire to not only extort money but to overthrow the Costa Rican government – that’s a new wrinkle in ransomware that only adds to the attackers’ notoriety.
We’re also seeing attacks that seem primarily focused on destruction. FortiGuard Labs researchers recently uncovered a new variant of Chaos ransomware in which the attacker has no intention of providing a decryption tool or file instructions – it’s all about destroying whatever it can.
Bad actors are clearly trying to stoke fear about what could possibly happen. There is still the financial component of ransomware, but at the same time, they are trying to flex their muscles more. It’s quite possible that there are competing philosophical differences between the groups. But it’s definitely more about spreading fear so that companies will pay whatever attackers ask. As tensions rise, that can change daily.
What does this signify in terms of how malware and ransomware are evolving? We’re likely going to see much more destructive ransomware attacks with wiper malware, which will completely destroy data. We’re going to see more aggressive ransomware attacks using Wiper malware. What we’re seeing is that bad actors are now less afraid of using more sophisticated attacks – they’re no longer afraid to try those out – and, unfortunately, it’s going to be much harder to contain and detect them.
More recently, the Chaos ransomware variant has sided with Russia, leaving observers to wonder what this could mean from a cybersecurity standpoint. The implications for cyber proxy wars are huge, both for national governments and the profitable companies within their borders. Taking a stand could now unleash additional, digital consequences.
However, organizations don’t have to cower before ransom requests if they have the proper security strategy in place. This includes a comprehensive and integrated security mesh, current threat intelligence, a strong cyber hygiene program and top-notch employee training. Keep your ear to the ground and continue to execute on both advanced and basic security measures, and you’re likely to weather the ransomware storms.
Aamir Lakhani is cybersecurity researcher and practitioner at FortiGuard Labs.
Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite.