Costa Rica’s public health system hit by Hive ransomware following Conti attacks

Costa Rica’s public health service, known as the Costa Rican Social Security Fund (CCSS), has been forced to take its systems offline after being hit by Hive ransomware.

In a statement on Twitter, the CCSS said the attack started early on Tuesday morning and that an investigation was being conducted. It added that several payroll and pension databases — including the Unified Digital Health system and the Centralized Tax-Collection System — were not affected by the attack. In an address to local media, the CCSS added that the Hive ransomware was deployed on at least 30 out of 1,500 government servers and that any estimation of time to recovery remains unknown. 

Several employees of the CCSS said they were told to shut down their computers after all of their printers began spitting out unintelligible documents. Another employee said that as a result of the attack, COVID-19 results cannot currently be reported.

The attack comes just weeks after Costa Rican President Rodrigo Chaves declared a state of emergency in the country in response to cyberattacks from the Conti ransomware group. Costa Rica’s Finance Ministry was the first government body to be hit by the Russia-linked hacking group, and in a statement on May 16, Chaves said the number of institutions impacted had since grown to 27. 

In a message posted to its dark web leaks blog at the time, Conti urged the citizens of Costa Rica to pressure their government to pay the ransom, which the group doubled from an initial $10 million to $20 million. In a separate statement, the group warned: “We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power.”

Cybersecurity experts have suggested that the cybercriminals behind this latest Hive ransomware attack could be working with the Conti gang to help the group rebrand and evade international sanctions targeting extortion payouts to cybercriminals operating in Russia.

According to threat intelligence company AdvIntel, Conti “can no longer sufficiently support and obtain extortion” due to its public allegiance to Russia in the first days of the Russian invasion of Ukraine, and believes the group is in the process of shutting down. The gang’s official website and negotiations service site has gone dark, while the rest of the infrastructure, from chatrooms to messengers, and from servers to proxy hosts, was going through a major reset.

As a result, AdvIntel believes the gang has formed alliances with other ransomware groups, including Hive, a ransomware as a service (RaaS) operation that has been active since at least June 2021.

Brett Callow, a ransomware expert and threat analyst at Emsisoft, tells TechCrunch: “The same individual could be an affiliate with both Conti and Hive and potentially other RaaS operations too. It’s also possible that Conti and Hive have established a working relationship, as other researchers have claimed. 

“Some negotiating firms have refused to transact with Conti since they sided with Russia and threatened attacks on US critical infrastructure due to the risk of OFAC/sanction complications. Because of that, it’s not unlikely that the core team and/or affiliates want attacks to be attributed to other ransomware operations.”