This week, Costa Rica came under attack - again.
On Tuesday morning in the Central American country, printers at the national health service abruptly churned out copies of a ransomware note.
Hospital record-keeping systems went down, and screens flashed up demands for a digital key needed to unlock compromised files and servers.
Widespread shut- downs and disruptions to essential government services in Costa Rica have led to the country declaring a state of emergency. Photo: 123RF
This was just the latest in a string of cyber attacks that have knocked out basic government services, including the online tax portal and automated system for paying teachers' salaries.
Costa Rica is now in an official state of emergency - the first time a country had done this as a response to cyber attacks.
Security experts feared other countries would be next, as criminals spy soft targets in public infrastructure like trains, hospitals, and schools.
So who's responsible? And who's next?
'That's when the panic started'
Corporate and government ransomware victims typically tend to avoid speaking publicly about the reputation-damaging events of an attack, but that was not the case with Costa Rica.
It was too big to hide.
Accounts from first responders have provided a rare insight into how these attacks unfolded - and the scramble to defend against them.
On 18 April, Esteban Jimenez, founder of the Costa Rica-based cyber security company ATTI, received a call from the country's ministry of finance.
"All the systems were completely blocked," he told the ABC.
"That's when the panic started. And that's when they called us for assistance."
The attackers appeared to have infiltrated government computers with a tool called Cobalt Strike, allowing them to deploy another piece of software, named Beacon, on the target machine.
With Beacon, they could log keystrokes, transfer files, execute commands, and generally do everything necessary to steal and encrypt data.
In a ransomware attack, data is stolen or encrypted, and the attackers demand money to restore access to the data.
The first Cobalt Strike infiltration happened at least as early as February, and could have been carried out any number of ways, including by email or through a public servant visiting a compromised website.
Costa Rica's new President Rodrigo Chaves declared the country was "at war" with Conti. Photo: 123rf
Jimenez and the other first responders counted 860 servers either locked up with ransomware, or disabled in some other way by the attack.
"We took the decision to just shut everything down."
The next step was to restore the servers from backups that system operators had kept for just these occasions.
One problem: "There were no backups whatsoever," Jimenez said.
"Every single system that was externally facing, every single app that the ministry [of finance] had available for people, was blocked."
With the systems down, disorder rippled through the country.
An entire country held to ransom
The attack affected 29 public institutions, including the ministries of finance, social security, meteorology, electricity, and sciences, innovation, technology and telecommunications.
Teachers found they weren't getting paid.
"The Ministry of Public Education had more than 13,000 teachers with wrong payments because they lost the actual system that was tracking down accurate payments," Jimenez said.
Customs officers had to resort to paper forms, slowing the processing of imports, which meant food and other perishables spoiled on the docks.
"It's impossible for a person to deal with 200,000 forms manually every day."
Services websites equivalent to the ATO or MyGov were offline.
Taxes couldn't be paid online.
"People were required to go to the bank with a manual form created by their accountants, like it was done 20 or 30 years ago."
First responders raced to get systems back online.
The city of San Jose, is both Costa Rica's capital and its largest city. Photo: 123rf
At one point, Jimenez took the unconventional step of using the Wayback Machine, a free archive of the World Wide Web, to cobble together the source code for the ministry of finance website.
"We we were able to pull out a full backup from the main website."
But even as they repaired the damage, more trouble was brewing.
This week's follow-up attack resulted in the public health service shutting down its digital record-keeping system, which affected about 1200 hospitals and clinics, and likely thousands of patients.
Teachers were still getting paid the wrong amount and tax collection and customs declarations were still relying on manual forms.
Jimenez estimated the attacks had cost at least half a billion dollars.
"And for a country of 5 million people, that's a lot of money.
"What we saw before were attacks targeting random private companies; never an attack like this.
"This was very, very well orchestrated."
Who's responsible?
Plotting the events that had unfolded as the attacks progressed was the easy part. Figuring out who was ultimately behind it all would be a lot harder.
On the surface, it might seem obvious. According to media reports, the Russia-linked group Conti was responsible for the April attacks, while another Russian group, Hive, did the latest ones.
But it's more complicated than that.
In recent years, the business of ransomware evolved into a sophisticated ecosystem, with different groups offering specialised services for each part of the process.
Access brokers sell the initial access to the compromised network, while ransomware-as-service groups sell the platform required to carry out the attack.
Conti is one of these latter groups. For the Costa Rica attack, they were merely selling a service, said Adam Meyers, senior vice-president of intelligence for CrowdStrike, one of the largest cybersecurity companies in the world.
"They'll take 20 percent or 30 percent off of the ransom for themselves in order for you to use their platform for both ransomware and data extortion."
That has left two missing pieces: the identities of the access broker and Conti's client, or affiliate.
The access broker appeared to be Russian-speaking, Meyers said.
Ahead of the attack, a Russian-speaking broker was advertising access "to a Costa Rican government entity" on "underground forums" covertly monitored by CrowdStrike.
The Costa Rican government wasn't warned at the time, Meyers said.
"It would be difficult for us to notify everybody."
Pedestrians in the Plaza de Juan Rafael Mora, San Jose, Costa Rica Photo: 123rf
And what was know about the identity of Conti's client?
"Not much," Meyers said.
"They used Conti and they were effective."
So, who's Conti?
Until recently, Conti was the biggest, baddest ransomware gang around.
In 2021, it extorted $US150 million, eclipsing all other ransomware gangs.
But its motivations have not been purely financial.
"Over time, it's become increasingly ideological," said Robert Potter, an Australian cybersecurity expert.
"It's been increasingly getting more comfortable being part of the Russia government."
This proximity had its problems: Conti had more trouble collecting ransoms because victims were advised that paying could mean violating US economic sanctions on Russia.
Some insurers said they wouldn't pay out for Conti attacks, as the attack was deemed to be state-sponsored.
The group's relationship with the Russian government came to a point at the end of February, when Russian president Vladimir Putin ordered the army to invade Ukraine.
Conti offered its full support to the Russian government:
It later walked this declaration back, but the damage was done.
Days later, a Ukrainian security expert leaked many months' worth of internal chat records between Conti personnel, exposing the daily, mundane inner workings of the criminal group.
One revelation was its size: Conti typically numbered fewer than 100 members.
After the leak, Conti went quiet. Then Costa Rica was attacked.
Who's Hive?
The Hive ransomware group was newer than Conti and kept a lower public profile, but the two had close ties.
Since the February data leak, some of Conti's leadership had reportedly joined Hive, leading to speculation that the two were much the same thing.
By rebranding as the lesser-known Hive, Conti could solve the problem of its perceived closeness with the Russian government.
Like most other ransomware groups, both Conti and Hive were based in Russia and eastern Europe.
CrowdStrike's Adam Meyers said this week's Hive attack was "interesting timing, because Conti had effectively shut down and it was possible that the affiliate that was using Conti had moved to Hive".
Is Russia behind it all?
The big question was what the Russian government's role was in the attack. Here, expert opinions vary widely.
The government had allowed Russia-based ransomware gangs to operate and target victims outside the country, but that didn't mean it was directing the attack against distant Costa Rica, Meyers said.
"The Russian government clearly has their hands full right now.
"This is financially motivated. [The attackers] are trying to make money. These actors are coin-operated."
Conti has claimed this is the case. In May, it posted on its website:
"No government of other countries has finalised this attack, everything was carried out by me with a successful affiliate. The purpose of this attack was to earn money."
But Esteban Jimenez had a very different take.
The Costa Rican cybersecurity expert regarded the attack as an opportunity for the group to hurt a close US ally and follow through on its threat over support for Ukraine.
The Russian government may not have been involved, but the motivation was ideological, not purely financial, he said.
"I think money was not the problem for them. This was just a display of power."
Costa Rica refused to negotiate or pay the ransom, which started out at $US10 million and was later doubled.
Who's next?
Following the April attack, Conti warned it would target other countries next.
"Costa Rica is a demo version," it posted on its website.
The greater the potential disruption to the public, the better the target, CrowdStrike's Adam Meyers said.
"These organisations go after infrastructure that has to be up and running.
"Health care is a big one ... and schools and education.
"Here in the US, the school year typically starts in August or September. So we've seen a lot of ransomware targeting state and local government and schools at around that time period."
Whoever's targeted, the trend for the number of attacks is climbing steeply: CrowdStrike observed, on average, more than 50 targeted ransomware demands per week last year, with each demand averaging a whopping US$6.1 million.
- ABC