Costa Rican Social Security Fund hit with ransomware attack
The Costa Rican government continues to face off against ransomware gangs, confirming on Tuesday that its Social Security Fund was hit with a cyberattack.
In a statement on Twitter, the Costa Rican Social Security Fund said the attack started early on Tuesday morning and that an investigation was being conducted into the incident.
It confirmed that several payroll and pension databases – including the Unified Digital Health system and the Centralized Tax-Collection System – were not affected by the attack.
“They are doing analysis to try to restore critical services, but it is not possible to determine when they will be in operation. For now, preventively all systems were shut down,” the organization said.
Están haciendo análisis para tratar de restaurar servicios críticos, pero no es posible determinar aun cuando estarán en operación. Por ahora preventivamente se bajaron todos los sistemas.— CCSSdeCostaRica (@CCSSdeCostaRica) May 31, 2022
Cybersecurity expert Brian Krebs said on Twitter that he has seen the ransom note related to the incident and that it is from the Hive ransomware group. A separate group, Conti, is engaged with several Costa Rican state ministries in an ongoing attack.
Despite reports that Conti was shutting much of its operation down, the group has released several unhinged threats toward the Costa Rican government, urging the country’s citizens to overthrow the government because of the crippling ransomware attack.
Krebs implied that the people behind the most recent Hive ransomware attack “could just as well be the same criminals” conducting the Conti attack.
Emsisoft threat analyst and ransomware expert Brett Callow told The Record that Conti previously claimed to have been “working on gaining access to [the Costa Rican government’s] other systems.
“The fact that Hive’s ransomware seems to have now been used in an attack on another agency supports the claim of other researchers that Hive and Conti have developed some form working relationship,” Callow said. “At the very least, it would appear that the groups share an affiliate... as the data that was stolen in a couple of recent incidents was uploaded to both Conti and Hive’s leak sites.”
Callow noted that analysts at AdvIntel, a threat intelligence company that has closely watched Conti and its affiliates, have previously said Conti and Hive may have deeper ties. Several companies have shown up on leak sites for both Hive and Conti in recent months, according to Callow.
Several employees of the Costa Rican Social Security Fund took to social media to say they were told to shut off their computers after all of their printers began spitting out unintelligible documents.
Me pasó lo mismo.. empezó a imprimir a lo loco.. me dijeron que apagara todo. pic.twitter.com/k5FlJF7t3g— Martha Hernández (@marsoHJ) May 31, 2022
The same employee said that due to the attack, COVID-19 test results cannot be reported.
Costa Rica declared a state of emergency this month following the wide ranging ransomware attack, which crippled the country’s customs and taxes platforms alongside several other government agencies, even bringing down one Costa Rican town’s energy supplier.
The country’s treasury department has been unable to operate any of its digital services since the attack began, making it nearly impossible for paperwork, signatures and stamps required by law to be processed.
Organizations affected by the attack include:
- The Finance Ministry
- The Ministry of Science, Innovation, Technology, and Telecommunications
- The Labor and Social Security Ministry
- The Social Development and Family Allowances Fund
- The National Meteorological Institute
- The Costa Rican Social Security Fund
- The Interuniversity Headquarters of Alajuela
Despite the ramifications of the devastating attack, the Costa Rican government has refused to pay the $10 million ransom issued by Conti.
Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.