Last week the Conti ransomware group "went dark" and might have shut down. Shortly before doing so, they went to war with an entire nation. Their ransomware attack paralyzed dozens of public institutions in Costa Rica in early May. The newly inaugurated Costa Rican government was forced to declare a state of emergency—a first for a cyber attack anywhere. Meanwhile, Conti leaked stolen data from Costa Rican sources online. Doubling their ransom demand to $20 million, the Russian-speaking gang threatened to bring down the Costa Rican government.
Speculation is rife that the attack which started Costa Rica’s ransomware emergency may have been an elaborate false flag. Conti may want to smokescreen their rebranding efforts and blow off some of the heat created by a $15 million U.S. government bounty.
Conti's motivations in paralyzing Costa Rica can't be known. But their capacity for malicious behavior is clear. For any organization that doesn't want to end up in a similar situation as the Central American country—where many officials now cannot collect taxes or pay salaries—mitigating the risk of future Conti-like attacks is critical.
Becoming a target for a threat actor like Conti is a security nightmare. The group's attacks are multi-layered, prolonged, and designed to inflict maximum pain. Conti even claims to have members inside the Costa Rican administration.
Since surfacing in 2020, Conti has gone almost exclusively after "big game" targets. This includes critical infrastructure and transport facilities that cannot afford the downtime or reputational damage a public attack creates. Costa Rica’s ransomware emergency isn't the first time Conti effectively paralyzed an entire nation. In 2021, a similar attack took a large part of the Irish national health service offline for weeks, impacting hundreds of thousands of people.
Compromising country-sized targets doesn't happen by accident. Conti and other advanced threat groups like LockBit 2.0 have advanced technological tricks up their sleeves. Conti is infamous for its use of fileless malware. During the execution stage of attacks, Conti uses their BazarLoader, recently superseded by the BumbleBee loader, to deploy malware such as cracked versions of Cobalt Strike. Fileless attacks completely bypass the signature- and behavior-based defenses used by most AV, NGAV, EDR, XDR, and other solutions. As a result, Conti silently moves around their victims’ networks—usually without detection, deploying third-party tools.
Leaked chat logs show Conti is more criminal enterprise than gang. The organization may have employed up to 100 staff and their team of hackers are highly skilled. They can disable security controls and systematically find and escalate privileges. By the time ransomware is executed, victims are defenseless. With Conti able to enter and persist in networks undetected, the battle is over long before this point.
Stopping advanced attackers like the Conti ransomware group relies on organizations building defense in depth with multiple layers of security. Here are two actions every organization should take.
The most potent response to advanced threats like Costa Rica’s ransomware emergency is to deploy solutions that stop them early in the attack chain. The reactive, signature- and behavior-based approach of standard security solutions does not do this. As Conti keeps demonstrating, fileless and in-memory attacks can defeat signature-based controls of every kind, including NGAV technologies.
With a Conti representative stating "Costa Rica is a demo version," the Conti X Costa Rica "war" is a graphic illustration of the need for multiple layers of protection against advanced threats. Powered by MTD technology, Morphisec offers organizations from SMBs to government departments exactly that, with a powerful, lightweight tool kit for defeating advanced threats.
To learn more about defeating ransomware, read the white paper, Zero Trust + Moving Target Defense: The Ultimate Ransomware Strategy.