Experts who track the hackers’ actions said the group had recently begun to shift its focus to countries in Central and South America, perhaps as retaliation against nations that have supported Ukraine.
WASHINGTON — A Russian hacking cartel carried out an extraordinary cyberattack against the government of Costa Rica, crippling tax collection and export systems for more than a month so far and forcing the country to declare a state of emergency.
The ransomware gang Conti, which is based in Russia, claimed credit for the attack, which began on April 12, and has threatened to leak the stolen information unless it is paid $20 million. Experts who track Conti’s movements said the group had recently begun to shift its focus from the United States and Europe to countries in Central and South America, perhaps to retaliate against nations that have supported Ukraine.
Some experts also believe Conti feared a crackdown by the United States and was seeking fresh targets, regardless of politics. The group is responsible for more than 1,000 ransomware attacks worldwide that have led to earnings of more than $150 million, according to estimates from the Federal Bureau of Investigation.
“The ransomware cartels figured out multinationals in the U.S. and Western Europe are less likely to blink if they need to pay some ungodly sum in order to get their business running,” said Juan Andres Guerrero-Saade, a principal threat researcher at SentinelOne. “But at some point, you are going to tap out that space.”
Whatever the reason for the shift, the hack showed that Conti was still acting aggressively despite speculation that the gang might disband after it was the target of a hacking operation in the early days of Russia’s war on Ukraine. The criminal group, which pledged its support to Russia after the invasion, routinely targets businesses and local government agencies by breaking into their systems, encrypting data and demanding a ransom to restore it.
Of the Costa Rica hacking, Brett Callow, a threat analyst at Emsisoft, said that “it’s possibly the most significant ransomware attack to date.”
“This is the first time I can recall a ransomware attack resulting in a national emergency being declared,” he said.
Costa Rica has said it refused to pay the ransom.
The hacking campaign occurred after Costa Rica’s presidential elections and quickly became a political cudgel. The previous administration downplayed the attack in its first official news releases, portraying it as a technical problem and projecting an image of stability and calm. But the newly elected president, Rodrigo Chaves, began his term by declaring a national emergency.
“We are at war,” Mr. Chaves said during a news conference on Monday. He said 27 government institutions had been affected by the ransomware attack, nine of them significantly.
The attack began on April 12, according to Mr. Chaves’s administration, when hackers who said they were affiliated with Conti broke into Costa Rica’s Ministry of Finance, which oversees the country’s tax system. From there, the ransomware spread to other agencies that oversee technology and telecommunications, the government said this month.
Two former officials with the Ministry of Finance, who were not authorized to speak publicly, said the hackers were able to gain access to taxpayers’ information and interrupt Costa Rica’s tax collection process, forcing the agency to shut down some databases and resort to using a nearly 15-year-old system to store revenue from its largest taxpayers. Much of the nation’s tax revenue comes from a relatively small pool of about a thousand major taxpayers, making it possible for Costa Rica to continue tax collection.
The country also relies on exports, and the cyberattack forced customs agents to do their work solely on paper. While the investigation and recovery are underway, taxpayers in Costa Rica are forced to file their tax declarations in person at financial institutions rather than relying on online services.
Mr. Chaves is a former World Bank official and finance minister who has promised to shake up the political system. His government declared a state of emergency this month in response to the cyberattack, calling it “unprecedented in the country.”
“We are facing a situation of unavoidable disaster, of public calamity and internal and abnormal commotion that, without extraordinary measures, cannot be controlled by the government,” Mr. Chaves’s administration said in its emergency declaration.
The state of emergency allows agencies to move more quickly to remedy the breach, the government said. But cybersecurity researchers said that a partial recovery could take months, and that the government may not ever fully recover its data. The government may have backups of some of its taxpayer information, but it would take some time for those backups to come online, and the government would first need to ensure it had removed Conti’s access to its systems, researchers said.
Russia-Ukraine War: Key Developments
In Mariupol. The bloodiest battle of the war in Ukraine ended in Mariupol, as the Ukrainian military ordered fighters holed up at a steel plant in the city to surrender. Ukraine’s decision to end combat gave Moscow full control over a vast sweep of southern Ukraine, stretching from the Russian border to Crimea.
Paying the ransom would not guarantee a recovery because Conti and other ransomware groups have been known to withhold data even after receiving a payment.
“Unless they pay the ransom, which they have stated they have no intention of doing, or have backups that are going to enable them to recover their data, they are potentially looking at total, permanent data loss,” Mr. Callow said.
When Costa Rica refused to pay the ransom, Conti began threatening to leak its data online, posting some files it claimed contained stolen information.
“It is impossible to look at the decisions of the administration of the president of Costa Rica without irony,” the group wrote on its website. “All this could have been avoided by paying.”
On Saturday, Conti raised the stakes, threatening to delete the keys to restore the data if it did not receive payment within a week.
“With governments, intelligence agencies and diplomatic circles, the debilitating part of the attack is really not the ransomware. It’s the data exfiltration,” said Mr. Guerrero-Saade of SentinelOne. “You’re in a position where presumably incredibly sensitive information is in the hands of a third party.”
The breach, among other attacks carried out by Conti, led the U.S. State Department to join with the Costa Rican government to offer a $10 million reward to anyone who provided information that led to the identification of key leaders of the hacking group.
“The group perpetrated a ransomware incident against the government of Costa Rica that severely impacted the country’s foreign trade by disrupting its customs and taxes platforms,” a State Department spokesman, Ned Price, said in a statement. “In offering this reward, the United States demonstrates its commitment to protecting potential ransomware victims around the world from exploitation by cybercriminals.”
Kate Conger reported from Washington, and David Bolaños from San José, Costa Rica.