The notorious Conti ransomware gang, which last month staged an attack on Costa Rican administrative systems, has threatened to “overthrow” the new government of the country.
” We are determined to overthrow government through a cyber attack. We have already demonstrated all strength and power to you,” said the group on its website. “We have our insiders in your government. Also, we are working to gain access to other systems in your government. You have no choice but to pay. “
In a further attempt to increase pressure, the Russian-speaking cybercrime syndicate has raised its ransom demand to $20 million in return for a decryption key to unlock their systems.
Another warning was posted by its dark web portal this weekend. It stated that it would delete decryption keys within a week. This move would render it difficult for Costa Rica to access the ransomware files.
” I appeal to all residents of Costa Rica to go to their government and hold rallies to demand that we be paid as soon as they can. If your current government is unable to stabilize the situation, Perhaps it is worth changing?
The devastating attack, which took place on April 19, has caused the new government to declare a state of emergency, while the group has leaked troves of data stolen from the infected systems prior to encryption.
Conti attributed the intrusion to an affiliate actor dubbed “UNC1756,” mimicking the moniker threat intelligence firm Mandiant assigns to uncategorized threat groups.
Affiliates are hacking groups who rent access to already-developed ransomware tools to orchestrate intrusions into corporate networks as part of what’s called a ransomware-as-a-service (RaaS) gig economy, and then split the earnings with the operators.
Linked to a threat actor known as Gold Ulrick (aka Grim Spider or UNC1878), Conti has continued to target entities across the world despite suffering a massive data leak of its own earlier this year in the wake of its public support to Russia in the country’s ongoing war against Ukraine.
Microsoft’s security division, which tracks the cybercriminal group under the cluster DEV-0193, called Conti the “most prolific ransomware-associated cybercriminal activity group active today. “
“DEV-0193’s actions and use of the cybercriminal gig economy means they often add new members and projects and utilize contractors to perform various parts of their intrusions,” Microsoft Threat Intelligence Center (MSTIC) said.
“As other malware operations have shut down for various reasons, including legal actions, DEV-0193 has hired developers from these groups. Most notable are the acquisitions of developers from Emotet, Qakbot, and IcedID, bringing them to the DEV-0193 umbrella. “
The interminable attacks have also led the U.S. State Department to announce rewards of up to $10 million for any information leading to the identification of key individuals who are part of the cybercrime cartel.
