The Conti ransomware group, a crippled Costa Rica – and how things fall apart, even for our cyber tormentors

Quite the story – with quite the Ukraine War element   😎

 

11 July 2022 (Athens, Greece) – Being a security professional has never been harder. The increasing threat environment, expanding attack surface, and continuous stakeholder demands for transparency are only adding to the challenges. Even the most sophisticated professionals can feel overwhelmed. Thank God I can stay current via Linkedin and my enormous cybersecurity group, especially Steve King and Andy Jenkinson – who both get a 🎩 tip for providing background to this piece.

Due to my ongoing work covering the Ukraine War + my film work, I have not had adequate time to devote to my cybersecurity coverage, although my media team has gigabytes loaded up and ready to go in follow-up to their work at the International Cybersecurity Forum in Lille, France last month.

But the Conti ransomware group came around again so I thought I’d offer some thoughts. And it came up due to a board meeting. I sit on the board of a small but well-known media company. I do not quote them in my posts to avoid a conflict of interest. But they do provide me with a treasure trove of background information on the digital media and TMT (technology, media, and telecom) markets which inform many of my posts.

We recently had a board meeting that involved a wide-ranging discussion about the tools and practices needed to fortify the company’s data and systems against breaches. To my surprise, there was heavy discussion on cybersecurity, especially cyberbreaches and criminal hacking endemic to the media industry. And the perils of corporate complexity — and the power of simplicity — when it comes to cyber risk.

Happily, my fortuitous presence enabled a proper discussion of the company’s cyber risk profile – and I was blatantly cribbing notes from Linkedin posts by Steve and Andy, noted above.

One board member asked about the Conti rasomware group. My media group had written a long blog post on how Conti and its offshoots had the legal industry in its sights – with much success. And the MIT Technology Review, Ars Technica and the Financial Times have all been reporting on the Conti rasomware group attack on Costa Rica so I provided the board with mashup of all the recent news. What follows is part of my report.

The cyber attack in Costa Rica has been well-told across cybersecurity media so just to summarize:

• Jorge Mora, Costa Rica’s digital governance chief, received a message in April from one of his officials: “We couldn’t contain it and they’ve encrypted the servers. We’ve disconnected the entire ministry.”

• He was being updated on a harrowing cyber-assault by a notorious Russian ransomware group called Conti, which started at the Central American country’s ministry of finance and eventually ensnared 27 different ministries in a series of interlinked attacks that unfurled over weeks.

• The attack was “impressive in its scope”, according to one western official. Usually, hackers manage to gain access to single systems but Costa Rica’s case highlights the risk posed by weak cyber security to a nation’s entire IT infrastructure. In Costa Rica, Conti had spent weeks, if not months, of tunnelling around in its government systems, leaping from one ministry to the other.

• Conti offered to return the data: at a price of up to $20mn. But Costa Rica’s government refused to pay the ransom. Instead, newly installed President Rodrigo Chaves declared a national emergency, launched a hunt for alleged “traitors” and leaned on tech savvier allies such as the US and Spain to come to its aid. “We are at war, and that is not an exaggeration,” Chaves said in the days after his inauguration in mid-May, blaming the prior administration for hiding the true extent of the disruption, which he compared to terrorism.

The stand-off left parts of Costa Rica’s digital infrastructure crippled for months, paralysing online tax collection, disrupting public healthcare and the pay of some public sector workers. In the meantime, Costa Rica’s shadowy tormentors were themselves a spent force, victims of geopolitical rivalries in the hacking world that had been inflamed by the war in Ukraine.

After declaring its support for the Russian invasion on Feb 24, the group was betrayed by one of its insiders, a Ukrainian hacker-for-hire, who leaked their toolkits, internal chats and other secrets online in retaliation. 

This needs a separate post, but for years Russia’s cybercrime groups have acted with relative impunity. The Kremlin and local law enforcement have largely turned a blind eye to disruptive ransomware attacks as long as they didn’t target Russian companies. Despite direct pressure on Vladimir Putin to tackle ransomware groups, they’re still intimately tied to Russia’s interests.

The Ukrainian hacker-for-hire released a cache of 60,000 chat messages and files which provides glimpses of how the criminal gang is well connected within Russia. The documents, reviewed by several technology media firms plus the International Consortium of Investigative Journalists, showed how Conti operates on a daily basis and its crypto ambitions. They likely further reveal how Conti members have connections to the Russian Federal Security Service and an acute awareness of the operations of Russia’s government-backed military hackers.

While Costa Rica continues to deal with the consequences of the cyber attack, much of Conti had melted away after the leak, according to Toby Lewis, head of threat analysis at Darktrace, a cyber security firm:

“In the beginning of 2022, we were set for another year for a group like Conti in their hey day, making quite significant sums of money. When Russia invaded Ukraine, that all ended. Backing Russia, was in business terms, the worst decision they could have ever made.”

Conti’s most impactful attack turned out to be its last. By the end of June, Conti’s public-facing website, where it had taunted Costa Rica and other victims, was shut down, and so was its dark-web negotiations site, security researchers said. As the attacks unfolded, Mora said his team slept barely four hours a night for nearly a month to slow the hackers’ progress through other ministries. Spain sent over its own ransomware protection software MicroClaudia, which was developed by its National Cryptologic Centre.

The U.S. sent over teams to assist, with donated software and expertise from Microsoft, IBM and Cisco, and the U.S. state department offered a bounty up to $15mn to bring Conti or its supporters to justice.

Rejecting Chaves’ criticism, Mora said that without their pace of work and co-operation after the attack, “we would have had 50 cases like the finance ministry”.

But Costa Rica’s efforts to regain control of their IT systems came alongside Conti’s demise, further complicating their efforts. One western intelligence official who has been fully briefed on the investigations, said that even if Chaves had agreed to pay the ransom, which varied from $20mn to as low as $1mn, it’s “not clear who was on the other end of the line. By June, nobody was answering the phone, figuratively speaking. Conti in Costa Rica was somewhat of a desperate last try to gain any sort of title, some buzz around their actions”.

Once estimated at some 400 hackers plus an unknown number of affiliates who were renting their toolkit — who in 2021 had yielded the Russian hacking affiliate hundreds of millions of dollars in cryptocurrency from at least 600 targets — Conti was soon down to a few dozen just weeks after the Costa Rica attack.

But, as my media team detailed last month, there are signs it is regrouping in different guises. This includes a group called BlackBasta, which within months of emerging has hit 50 organisations. Security researchers say the speed of its attacks suggest deserters from Conti had taken their knowledge of their victim’s IT infrastructure with them to BlackBasta.

Meanwhile, Costa Rica continues to grapple with the consequences of the April hack. As in all successful ransomware attacks, there is usually no way to decrypt its own data without a key from its attackers — most systems have to be rebuilt from scratch, with backups scoured to make sure they do not include the original malware. That process can take months, if not a year or two.

I said “usually no way to decrypt” because the U.S. FBI and other U.S. intelligence services actually have some decryption keys that may be able to open up an encrypted system. Victims just need to ask.

Until recently, the country’s customs systems had to resort to using paper and email, slowing down the entire process. It means you pay more for containers that have to sit for days on docks that hadn’t been used in years. But as of the time I write this, a senior Costa Rica government official said many of the finance ministry’s systems have now been restored, including customs and salaries.

It comes back to what both Steve King and Andy Jenkinson have noted forever. Don’t skimp on having the necessary cyber security across your entire institution. And yet, as Steve and Andy chronicle on an almost daily basis, 1000s of institutions are still skating by in ignorance, and wishful thinking.

I’ll end with quotes from Steve and Andy. Andy first:

Cyberwar is playing out in front of everyone and in all sectors. The ability to infiltrate and gain access due to woeful and quite frankly, pathetic basic security negligence as we constantly evidence is the root cause.

And Steve:

I agree with everything you say. I think ransomware will continue to dominate the 2022 threat landscape, as we witness operators taking new approaches with new techniques. A significant ransomware trend in 2021 was the increase in adversaries expanding their threats beyond data encryption. Multiple ransomware groups pivoted to stealing and exfiltrating data before encrypting it, then demanding payment to prevent the data from leaking publicly on a dark web site. This will only increase.

And the big gorilla in the room which I have discussed with both Steve and Andy, but which is beyond the remit of this post: weaponized AI. Which is the act of altering existing AI systems or developing new AI programs and tools to break down performance and disrupt normal operations. The goal of weaponized AI in cyber attacks is to infiltrate networks and systems faster than most organizations can fight against the attack by using unique capabilities of AI technologies. Capabilities like information retention learned intelligence and improved speed from automation. By weaponizing AI to model adaptable attacks and develop intelligent malware programs, cybercriminals have been able to program these attacks to collect knowledge of what prevented the attacks and what proved to be successful.