In the wake of a massive ransomware attack on the Costa Rican government in April, the US government issued a notice last week declaring a bounty potentially worth millions of dollars on people involved with the Conti ransomware used in the hack. Rodrigo Chaves Robles, Costa Rica’s recently sworn-in president, declared a national emergency due to the attack, according to CyberScoop.
According to BleepingComputer, the ransomware attack affected Costa Rica’s ministries of finance and Labor and Social Security, as well as the country’s Social Development and Family Allowances Fund, among other entities. The report also says that the attack affected some services from the country’s treasury starting on April 18th. Hackers not only took down some of the government’s systems, but they’re also leaking data, according to CyberScoop, which notes that almost 700GB of data has made its way onto Conti’s site.
The US State Department says the attack “severely impacted the country’s foreign trade by disrupting its customs and taxes platforms” and offers “up to $10 million for information leading to the identification and/or location” of the organizers behind Conti. The US government is also offering $5 million for information “leading to the arrest and/or conviction of any individual in any country conspiring to participate in or attempting to participate” in a Conti-based ransomware attack.
Last year, the US offered similar bounties on REvil and DarkSide (the group behind the Colonial Pipeline attack). REvil is largely thought to be defunct after the US reportedly hacked the group’s servers and the Russian government claimed to have arrested several members.
The Costa Rican government isn’t the only entity to fall victim to Conti’s ransomware. As Krebs On Security notes, the group is particularly infamous for targeting healthcare facilities such as hospitals and research centers.
The gang is also known for having its chat logs leaked after it declared that it fully supported Russia’s government shortly after the invasion of Ukraine began. According to CNBC, those logs showed that the group behind the ransomware itself was having organizational issues — people weren’t getting paid, and there were arrests happening. However, like many ransomware operators, the actual software was also used by “affiliates,” or other entities who used it to carry out their own attacks.
In Costa Rica’s case, the attacker claims to be one of these affiliates and says that they aren’t part of a larger team or government, according to a message posted by CyberScoop. They have, however, threatened to carry out “more serious” attacks, calling Costa Rica a “demo version.”