The Government of Costa Rica was targeted in a devastating Conti ransomware attack in 2022, just before the gang disbanded. The attackers demanded a $20 million ransom, crippling critical government operations, including customs and tax systems. The assault disrupted public services, caused financial losses, and forced the newly elected president to declare a national emergency. Conti’s ransomware encrypted systems, exfiltrated sensitive data, and paralyzed digital infrastructure, leading to prolonged outages. The attack not only threatened the country’s economic stability but also exposed vulnerabilities in its cybersecurity defenses. The incident was part of Conti’s broader campaign, which included targeting hospitals, local governments, and emergency services globally. The leaked internal chats later revealed the gang’s ties to the Russian government and its willingness to attack high-value targets, including healthcare systems during the COVID-19 pandemic. The Costa Rican government refused to pay the ransom, but recovery efforts took months, further straining public trust and operational continuity.
Source: https://therecord.media/alleged-conti-ransomware-affiliate-extradited-ireland-tennessee
TPRM report: https://www.rankiteo.com/company/casa-presidencial-costa-rica
"id": "cas4032140103125",
"linkid": "casa-presidencial-costa-rica",
"type": "Ransomware",
"date": "6/2022",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'location': 'Tennessee, USA',
'name': 'Tennessee-based organizations (2 victims)',
'type': ['private sector', 'government']},
{'industry': 'public administration',
'location': 'Costa Rica',
'name': 'Government of Costa Rica',
'type': 'government'},
{'industry': 'healthcare',
'location': 'USA (multiple states)',
'name': 'U.S. hospital systems',
'type': 'healthcare'},
{'industry': 'public safety',
'location': 'USA (multiple states)',
'name': 'Local governments and emergency services '
'(USA)',
'type': 'government'},
{'location': 'Global (24+ countries)',
'name': 'Organizations in over two dozen countries'}],
'attack_vector': ['phishing',
'exploiting vulnerabilities',
'malware deployment (Conti ransomware)'],
'data_breach': {'data_encryption': True,
'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'high',
'type_of_data_compromised': ['personally identifiable '
'information (PII)',
'sensitive organizational data',
'internal communications']},
'date_publicly_disclosed': '2024-05-09',
'description': 'A Ukrainian national, Oleksii Oleksiyovych Lytvynenko, '
'accused of launching ransomware attacks on behalf of the '
'Conti ransomware gang, appeared in a U.S. court after being '
'extradited from Ireland. He faces charges related to computer '
'fraud and wire fraud conspiracy, with allegations of '
'extorting approximately $500,000 from two victims in '
'Tennessee and participating in a broader conspiracy to extort '
'$150 million globally. Conti, now defunct, was linked to '
"high-profile attacks, including on Costa Rica's government "
'and U.S. critical infrastructure.',
'impact': {'brand_reputation_impact': ["severe damage to Conti's reputation "
'post-leaks',
'public exposure of internal chats '
'revealing unethical practices'],
'data_compromised': True,
'financial_loss': '$150 million (estimated total ransom demands by '
'Conti)',
'identity_theft_risk': True,
'legal_liabilities': ['indictments for computer fraud and wire '
'fraud conspiracy',
'maximum penalty of 25 years in prison if '
'convicted'],
'operational_impact': ['disruption of hospital systems',
'local government operations',
'emergency services'],
'payment_information_risk': True,
'revenue_loss': '$500,000 (extorted from two Tennessee victims)'},
'initial_access_broker': {'data_sold_on_dark_web': True,
'high_value_targets': ['hospital systems',
'government agencies',
'emergency services']},
'investigation_status': 'Ongoing (Lytvynenko awaiting trial in the USA; four '
'other Conti members indicted in 2023)',
'lessons_learned': ["Exposure of Conti's internal operations highlighted the "
'risks of ransomware groups with state-affiliated ties.',
'Leaked chats revealed ethical violations, including '
'attacks on hospitals during the COVID-19 pandemic.',
'Collaboration between international law enforcement '
'(USA, Ireland, Ukraine) is critical for disrupting '
'cybercrime networks.',
'Ransomware operators often pivot to new gangs (e.g., '
'Royal, Black Basta) after disbanding.'],
'motivation': ['financial gain', 'cybercrime'],
'post_incident_analysis': {'corrective_actions': ['U.S. and international law '
'enforcement collaboration '
'led to arrests and '
'extraditions.',
'Increased scrutiny of '
'cryptocurrency '
'transactions linked to '
'ransom payments.',
'Public disclosure of '
"Conti's internal "
'operations deterred some '
'cybercriminal activity.'],
'root_causes': ['Exploitation of unpatched '
'vulnerabilities in target '
'systems.',
'Lack of multi-factor '
'authentication (MFA) and endpoint '
'protection in some victims.',
"Conti's use of double extortion "
'(data encryption + exfiltration) '
'to pressure victims.']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransom_demanded': '$150 million (total by Conti gang)',
'ransom_paid': '$500,000 (from two Tennessee victims)',
'ransomware_strain': 'Conti'},
'recommendations': ['Organizations should implement robust backup and '
'recovery plans to mitigate ransomware impacts.',
'Enhanced threat intelligence sharing between sectors can '
'help preempt ransomware attacks.',
'Governments should strengthen cybersecurity regulations '
'for critical infrastructure, especially healthcare.',
'Public-private partnerships are essential for tracking '
'and prosecuting cybercriminals across jurisdictions.'],
'references': [{'date_accessed': '2024-05-09',
'source': 'U.S. Department of Justice (DOJ) Press Release'},
{'date_accessed': '2024-05-09',
'source': 'FBI Statement on Conti Ransomware Operator '
'Extradition'},
{'date_accessed': '2022-03',
'source': "Media reports on Conti's internal chat leaks"},
{'date_accessed': '2022-05',
'source': 'Reports on Costa Rica ransomware attack (2022)'}],
'regulatory_compliance': {'legal_actions': ['indictment on computer fraud and '
'wire fraud conspiracy charges',
'extradition from Ireland to the '
'USA']},
'response': {'communication_strategy': ['public indictment announcements',
'media statements by DOJ and FBI'],
'law_enforcement_notified': True,
'third_party_assistance': ['FBI Cyber Division',
'U.S. Department of Justice',
'Irish Garda Síochána']},
'stakeholder_advisories': ['FBI and DOJ warnings about Conti and successor '
'ransomware gangs (e.g., Royal, Black Basta)'],
'threat_actor': {'affiliation': 'Conti ransomware gang',
'name': 'Oleksii Oleksiyovych Lytvynenko',
'nationality': 'Ukrainian',
'role': 'Ransomware operator'},
'title': 'Extradition and Charges Against Alleged Conti Ransomware Operator '
'Oleksii Lytvynenko',
'type': ['ransomware', 'cyber extortion', 'data breach']}