Second ransomware group attacks Costa Rica

The country’s health service has had its systems affected by the new attack
Image: Shutterstock via Dennis

1 June 2022

Costa Rica has been hit by a ransomware attack from a second ransomware group, this time targeting its health service.

The Costa Rican Social Security Fund (CCSS) confirmed yesterday that it had suffered an attack early in the morning, although it said its databases containing information on payroll and pensions hadn’t been affected.

The CCSS said it was carrying out an analysis to try and restore critical services, but it wasn’t possible to determine when they will be operating again. As a cautionary measure, it has also taken all of its systems offline.




A notice from the CCSS stated that various internal systems were down. Only employees working from home would also be able to access Office 365 and it advised workers not to connect to its network through a VPN until it had new information on the attack.

Local employees working in the health service also said on Twitter that their printers began printing pages of ASCII-based text by themselves before the attack had been reported.

The attack appears to be carried out by the Hive ransomware group, according to journalist Brian Krebs who has seen the ransom note.

This is a different group to Conti, which had been targeting the country previously. The Conti ransomware attack forced the country to declare a state of emergency at the start of May after it emerged that it had impacted 27 government institutions. The ransomware group also threatened to overthrow the Costa Rican government after demanding that it pay $10 million in ransom.

However, the Conti ransomware group is slowly shutting down, according to a report from Bleeping Computer. Infrastructure is being taken offline and team leaders have been told that the brand is no more.

Why did Conti attack Costa Rica?

Research from Advintel showed that former Conti members may have migrated to Hive, shedding Conti’s name and image.

The researchers found that Conti conducted the attack on Costa Rica for publicity instead of ransom, and was organised by the group as it began restructuring itself. It was very vocal about the attack, constantly adding new political statements, and helped bring the group into the spotlight while real restructuring was taking place.

“The only goal Conti had wanted to meet with this final attack was to use the platform as a tool of publicity, performing their own death and subsequent rebirth in the most plausible way it could have been conceived,” said Advintel.

Conti has been planning the rebranding for several months. It has adopted a different structure which is formed as a coalition of several new subdivisions. Some of these are independent while others exist in another ransomware collective. They are all united, however, by internal loyalty to each other and the Conti leadership, stated the research.

The network includes two different groups. Fully autonomous groups which focus on stealing data, like Karakurt, BlackBasta, and BlackByte.

The second type is semi-autonomous, which acts as Conti-loyal collective affiliates within other collectives. This includes AlphV/BlackCat, Hive, HelloKitty/FiveHands, and AvosLocker.

© Dennis Publishing

Read More:

Comments are closed.

Back to Top ↑