Happy Nice Mall

Teachers do not receive paychecks. The tax and customs systems were paralyzed. Paramedics cannot access medical records or monitor the spread of COVID-19. A country’s president declares war on foreign hackers who say they want to overthrow the government.

For two months, Costa Rica has been reeling from unprecedented ransomware attacks that have disrupted daily life in the Central American country. It raises questions about the US role in protecting friendly countries from cyberattacks as Russia-based criminal gangs target less developed countries in ways that could have major global repercussions.

“Costa Rica today. “Tomorrow it could be the Panama Canal,” said Belisario Contreras, former director of the Organization of American States cybersecurity program, referring to a major Central American shipping lane carrying large volumes of U.S. import and export traffic.

Last year, cybercriminals launched ransomware attacks in the United States, forcing it to shut down an oil pipeline feeding the East Coast, shutting down production of the world’s largest meat processing company, and compromising the security of a major software company with thousands of customers worldwide.

The Biden administration responded with a series of government actions that included diplomatic, law enforcement and intelligence efforts designed to put pressure on ransomware operators.

Since then, ransomware gangs have moved away from “big game” targets in the US, chasing victims that are unlikely to have a strong US response.

“They’re still productive, they’re making huge amounts of money, but they’re not in the news every day,” Eleanor Fairford, deputy director of the UK’s National Center for Cyber ​​Security, told a conference on ransomware in the US. .

The trends in ransomware attacks, where criminals encrypt victims’ data and demand payment to restore it to normal, are difficult to monitor. NCC Group, a UK cybersecurity firm that tracks ransomware attacks, said the number of monthly ransomware incidents so far this year is higher than it was in 2021. Organizations of ransomware group CL0P, which has aggressively targeted schools and healthcare, are back in business after being effectively shut down for several months.

But Rob Joyce, director of cybersecurity at the National Security Agency, openly said that the number of ransomware attacks has decreased, thanks to increased cyberattacks since Russia’s invasion of Ukraine and new sanctions that have made Russia’s job harder. criminals based to move money.

The ransomware gang known as Conti launched the first attack against the Costa Rican government in April, demanding a $20 million payment and prompting newly elected President Chaves Robles to declare a state of emergency over tax and customs, utilities and other services. . taken offline. “We are at war and that is no exaggeration,” he said.

Later, a second attack attributed to a group known as the Hive disabled the public health service and other systems. Information on individual prescriptions is offline and some workers have not been paid for weeks. The 33-year-old teacher has caused significant difficulties for people like Alvaro Fallas.

“I live with my parents and my brother and they trust me,” he said.

In Peru, Conti also attacked the country’s intelligence agency. The gang’s darkweb racketeering site is posting allegedly stolen documents along with the agency’s information, such as a document marketplace “secret” detailing efforts to root out coca.

Experts believe that developing countries such as Costa Rica and Peru will remain particularly mature targets. These countries have invested in digitizing their economies and systems, but they do not have as advanced defense systems as wealthier countries.

Costa Rica has long been a stable force in a region often known for riots. It has a deep-rooted democratic tradition and well-run government services.

Paul Rosenzweig, a former DHS official and cyber consultant and now legal resident of Costa Rica, said the country has presented a test case for what exactly the US government owes to friendly and allied governments that have fallen victim to devastating ransomware attacks. He said that while an attack on a foreign country has no direct impact on US interests, the federal government still has a strong interest in limiting the ways ransomware criminals disrupt the global digital economy.

“Costa Rica is an excellent example because it’s a first,” Rosenzweig said. “No one has ever seen a government come under attack before.”

So far, the Biden administration has said little publicly about the situation in Costa Rica. The US has provided some technical assistance through the Cybersecurity and Infrastructure Security Agency, through a knowledge sharing program with countries around the world. And the State Department offered a reward for the arrest of Conti members.

Eric Goldstein, deputy director of cybersecurity at CISA, said Costa Rica had a computer emergency response team that had an established relationship with colleagues in the US prior to the events. But his agency is expanding its international presence by establishing the first overseas attaché position in the UK. He plans others in yet undetermined locations.

“Our role, if we think about CISA and the US government, of course, is to protect American organizations. “But we intuitively know that the same threat actors use the same vulnerabilities to target victims around the world.”

Conti is one of the most prolific ransomware gangs currently operating, hitting more than 1,000 targets and receiving more than $150 million in payouts in the past two years, according to FBI estimates.

At the start of the invasion of Ukraine, some members of Conti pledged on the group’s dark website to “use all available resources to attack an enemy’s critical infrastructures” in the event of an attack on Russia. Soon after, sensitive chat recordings that turned out to be gang’s were leaked online, some of which appeared to indicate ties between the gang and the Russian government.

Some cyberthreat researchers say Conti may be in the midst of rebranding, and his attack on Costa Rica may have been a publicity stunt to provide a plausible story for the group’s demise. Ransomware groups that receive a lot of media attention simply disappear so that their members can then operate under a new name.