[Security Weekly] Conti Ransomware Threatens to Overthrow Costa Rican Government

conti ransomware costa rica

May 2022, Issue II


1. Conti ransomware gang threatens to overthrow Costa Rican government

Over the weekend of May 7, Costa Rica’s newly elected President Rodrigo Chaves declared a state of emergency as the nation battled through a devastating ransomware attack carried out by the Conti ransomware gang since April 18, making it the world’s first-ever national emergency declared in response to a cyberattack.

It has been confirmed that 27 government agencies were affected by the attack. Among them were the Finance Ministry, the Ministry of Labor and Social Security (MTSS), the Ministry of Science, Technology, and Telecommunications, the National Meteorological Institute (IMN), and many more. 

The Conti ransomware gang initially demanded $10 million. After the government refused to pay, it dumped 97% of the 672 GB of stolen data on its leak site, which included source code and databases, according to analyses by Bleeping Computer.

However, Conti did not give up, raising its demand to $20 million on May 16, claiming at this point that its goal now is to overthrow the government and that it has been receiving help from insiders. Most analysts believe that overthrowing the government is highly unlikely, and that rhetoric is merely a means to increase pressure.

Commonly targeting governments and vulnerable industries like hospitals, Conti is one of the most ruthless Ransomware-as-a-Service (RaaS) groups in the world, with many operations tied to the Russian state. Last year, it attacked and paralyzed the entire health system of Ireland.

Sources: Threatpost, US News, BBC


2. Aerospace giant Parker discloses data breach after Conti ransomware attack

US-based Parker Hannifin Corporation, one of the world’s largest manufacturers of motion control technologies, disclosed a ransomware attack and data breach that involved its employees’ personal information. Parker is a major supplier of aircraft hydraulic systems to Boeing, Airbus, Lockheed Martin, and Roll-Royce.

In a statement, Parker revealed that hackers gained access to its internal IT systems between March 11 and 14, exfiltrating files that contained the personal information of its current and former employees and their dependents. Leaked data included names, dates of birth, addresses, Social Security Numbers (SSN), passport numbers, driver’s licence numbers, financial and insurance details, medical history, and digital account login credentials. The company was forced to shut off its IT systems to prevent the attack from spreading further. Fortunately, it does not look like any technical information and schematics were stolen.

The Conti ransomware gang claimed responsibility for the attack and published 3% of all stolen data on April 1. Three weeks later on April 20, all 100% of 419 GB of data were published, signaling failed ransom negotiations.

To protect victims from identity theft, Parker is providing impacted employees with two years of identity protection service.

Sources: Infosecurity, Bleeping Computer


3. North Korean IT workers pose as remote freelancers to aid hacking operations

The US Department of State, Department of the Treasury, and the FBI issued a joint advisory warning that North Korean IT workers are now working as remote freelance developers at tech firms in high-income countries, both to raise revenue for North Korea and to aid state-backed hackers in hacking operations.

Thousands of these state-backed workers now use VPNs to hide their position and pretend to be freelancers from South Korea, Japan, or China, filling a wide range of roles in developing mobile apps and games, web apps, gambling apps, enterprise software and databases, and hardware and firmware.

Not only are their incomes used to fund the state, but they also aid state-backed hackers by sharing access to their employer’s virtual infrastructure, sensitive data, and making fraudulent virtual currency transfers. An individual case published in the advisory stated that North Korean remote freelancers in an unnamed US firm secretly transferred out $50,000 in small installments over a period of a few months.

As it becomes increasingly common for firms to hire remote freelancers, access control is more important than ever. Firms should have a clear set of security policies on granting remote access to third parties and freelancers, and always keep their account privileges to a minimum. 

Sources: ZDNet, Infosecurity, Business Insider


Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Database Encryption: D’Amo

Identity and Access Management: iSIGN+ 

Car, Energy, Factory, City Solutions: Penta IoT Security