Costa Rican president claims collaborators are aiding Conti’s ransomware extortion efforts

Collaborators within Costa Rica are helping the notorious Conti ransomware group extort the country’s government, the country’s president said during a Monday press conference, backing up claims the group made on its website the same day.

The president, Rodrigo Chaves, cited “national security” when declining to share details of who the alleged collaborators are, or how they are operating, according to an account of the press conference from La Nación.

“We are at war and that is not an exaggeration,” Chaves said, according to a Google translation. “The war is against an international terrorist group.” He added that “there are very clear indications that people inside the country are collaborating with Conti,” but did not share details.

Over the weekend messages posted to Conti’s website captured by Emsisoft threat analyst Brett Callow called on the people of Costa Rica to “organize rallies” to force the government to pay and also that “we are determined to overthrow the government by means of a cyber attack.” The attackers demanded $20 million — doubling the previous demand of $10 million — and also claimed the decryption keys would be deleted within a week.

Chaves declared a national emergency related to the attack May 8 in one of his first official acts after taking office. The U.S. State Department announced a $10 million reward May 6 for information on anybody holding a “key leadership position” within Conti.

Chaves said Monday that the government has assembled a “SWAT Team” from various government agencies to handle the April 17 ransomware attack that has affected at least 27 institutions — nine of them “significantly,” according to La Nación — and that there is still no full diagnosis of the magnitude of the situation.

The ransomware attack has prevented the government from effectively collecting taxes, and some public employees’ salaries are either being overpaid or underpaid, Chaves said.

He blamed the previous government for not fully investing in cybersecurity, and also said the matter had been characterized to the people of Costa Rica as an “incident when in reality it is a national crisis.”

Although Chaves did not provide evidence supporting the claim of Costa Rican collaborators helping Conti, Callow noted that insider threats are a persistent and known problem that need to be addressed. An engineer working for a managed service provider — a company that provides IT services for other businesses and has access to client networks — was accused in January 2020 of trying to sell logins for client networks on a dark web forum, for instance.

“The gangs now have so much money that they could potentially buy their way into any organization,” Callow told CyberScoop in an online chat. “In fact, I’d be surprised if it wasn’t quite common for insiders to reach out to them with offers of help.”