On April 18th, a massive ransomware attack prompted the nation of Costa Rica to declare a national emergency. Costa Rican agencies affected by the attack include the Ministry of Labor and Social Security, the Ministry of Science, Innovation, Technology and Telecommunications, the National Meteorological Institute and the Ministry of Finance.

Since then, President Rodrigo Chaves, who took office on May 8th, introduced a decree that classifies the attack as an act of cyber terrorism. “This is an assault on the nation and we have signed this decree to help us defend ourselves better,” said Chaves.

The Conti ransomware group claimed responsibility for the attack. The group reportedly demanded $10 million from the government of Costa Rica in exchange for not releasing sensitive data exfiltrated from the Ministry of Finance. The Costa Rican government has not yet capitulated to demands.

Conti’s attack motives

A statement on Conti’s website expresses that the attackers deliberately disrupted government operations in order to earn money. “…in the future I will definitely carry out [an] attack of a more serious format with a larger team, Costa Rica is a demo version,” it says.

The gang appears interested in ratcheting up anxiety for other governments and organizations. In the past, Conti has struck government, law-enforcement, emergency dispatch carriers, emergency medical services, healthcare and manufacturing groups.

$15 million reward

In a bid to halt Conti’s activities, the US is offering a $15 million reward for information leading to the identification and arrest of the Conti ransomware group’s leaders. According to the US State Department, as of January, more than 1,000 organizations fell victim to the Conti ransomware gang’s attacks.

What we know

In February, a cyber researcher unveiled data pertaining to the Conti group’s Bitcoin addresses and chat logs, including text showing negotiations between ransomware attackers and victims. Logs were also found pertaining to Trickbot, which had once been used to distribute Conti’s ransomware.

After the aforementioned information came to light, Conti dropped internet-based activities temporarily. However, the group reappeared online a few weeks later.

How Conti operates

The Conti group offers a Ransomware-as-a-Service package to affiliates who wish to launch ransomware attacks. Proceeds from ransom payments are split roughly 80%-20% or 70%-30%, where the affiliate keeps the largest portion of the payment and the core Conti team members see a smaller reward.

Conti attackers are known to operate out of St. Peterburg, Russia, and may or may not be connected to Russia’s intelligence agency, the FSB.


Although dubbing the attack as ‘an act of terrorism’ may have limited direct impact, it reflects the severity of the breach and places it into a emergency category on-par with other types of serious incidents. Ransomware can prove as serious as a military conflagration or a natural disaster – depending on the context.

Preventing Conti ransomware threats

Organizations can take proactive steps to prevent Conti ransomware and Conti-affiliated breaches. For example, organizations can implement stronger perimeter security, which can improve attack identification and response rates. For more information about preventing ransomware attacks, see CyberTalk.org’s eBook.

Lastly, to receive more cutting-edge cyber security news, best practices and analyses, please sign up for the CyberTalk.org newsletter.