Conti, the ruthless threat group behind hundreds of global ransomware attacks, has cast its dark shadow over sunny Costa Rica. The Central American republic is struggling to withstand a series of cyberattacks that have paralyzed state institutions. On May 11, 2022, Costa Rican President Rodrigo Chaves declared the attacks a national state of emergency. These cyberattacks not only damaged Costa Rica, but they pose a threat to global stability, as we’ll explore in the rest of this column.  

Conti Catches Fire

Before describing the larger significance of these cyberattacks on Costa Rica, it is important to share some key facts about the Conti group. Conti ransomware first appeared in 2020, catching researchers’ attention with its lightning-fast encryption capabilities. The ransomware masterfully uses multi-threading to achieve blazing-fast execution speeds. At first, Conti ransomware looked like a clever variation of other multi-threaded malware samples including REvil, Lockbit and Ryuk.

Within a year of its discovery, Conti compromised more than 400 organizations around the world.

Conti quickly proved they were not small-time players. They were organized like a business, performed target reconnaissance, and pressured victims to pay through double extortion. This tactic involves attackers stealing information from target systems before encryption occurs. They then demand ransom for a decryption key, while threatening to publicly release the stolen data if the victim does not comply. Compromised organizations find themselves facing catastrophic data loss, public humiliation, and the risk of violating privacy regulations like General Data Protection Regulation (GDPR) if they resist.

The effectiveness of Conti’s methods is indisputable. Leaked chat logs suggest the group took in more than $30 million USD in 2021. These gains came as ransomware attacks went up 105% and company information being posted to data leak sites increased by 935%. Conti’s techniques, tactics and procedures (TTPs) certainly seem to be highly effective. However, the group’s stellar rise and enormous successes have caused some researchers to question who exactly is behind Conti?

Dark Connections, Divided Loyalties

As I’ve discussed in other columns, attributing cyberattacks to specific actors is incredibly difficult. Attacks can be routed through several nations, including those that do not cooperate with investigations, making their initial source nearly indeterminable. If one threat actor wishes to look like another, they simply mimic the TTPs of whomever they seek to impersonate. Modern cyberattacks are often encrypted and obfuscated and they seek to use legitimate system resources to hide their activity. Simply put, attackers go through a great deal of trouble to hide from analysts and lead them down the wrong path when discovered.

That being said, it has been widely reported that Conti is a Russia-based group. This assessment received further credibility during the Russian invasion of Ukraine, when Conti threatened retaliation against anyone targeting Russia with conventional or cyberattacks. This statement caused internal dissent within the cybercrime community and ultimately led to Conti being compromised. Shortly after declaring their fealty to Russia, a Ukrainian security researcher released a year’s worth of internal chats from the Conti group. This was quickly followed by the release of the Conti ransomware source code.

Costa Rica Reflects a World in Crisis

This brings us to the present, where Conti is waging unrelenting cyberattacks against Costa Rican government agencies. In one interaction, the Conti group demanded $10 million USD from the Costa Rican government, only to be rebuffed. This refusal prompted the group to publish hundreds of gigabytes of stolen data to their leak site and to threaten “more serious” attacks.

The U.S. State Department has offered a $10 million reward for information that identifies Conti’s key leaders and an additional $5 million for information leading to their arrest or capture. Yet the real danger of these attacks far exceeds anything addressable by a simple bounty. Cyberattacks have long been treated by nations as a form of espionage — something that provokes retaliation without requiring greater escalation. However, as cyberattacks on infrastructure, agencies and economies wreak greater havoc on nations, this sentiment is changing.

Last July, U.S. President Joe Biden warned that a serious cyberattack could lead to a “real shooting war.” This may be why Conti made an explicit declaration claiming sole responsibility for the attacks in Costa Rica. Likewise, it might explain their rapidly amending declarations of initial support of the Russian invasion with a disclaimer that they “do not ally with any government and we condemn the ongoing war.”

As the effects of cyberattacks become more consequential, it seems inevitable that the responses to them will escalate in turn. Unfortunately, merely claiming them to be independent actions and disavowing national ties will mean little if deemed disingenuous and as acts of war.