Costa Rica is still reeling from the ransomware attacks deployed by the Conti group, and now the Hive ransomware group has joined in. According to Bleeping Computer, the Hive ransomware group is behind the attack beginning 31 March 2022 targeting Costa Rica’s public health service.
The Costa Rican government agency has publicly stated that an attack took place early Tuesday morning. The targeted government entities included the Costa Rican Social Security Fund (CCSS). The government also stated that the EDUS (Unified Digital Health) database and SICERE (Centralized Tax-Collection System) database storing citizen health and tax information have not been compromised. Employees at the targeted agencies were instructed to shut down their computers and disconnect them from the local networks. When the attack began, employees reported that printers on the network began printing random ASCII characters.[1] According to Reuters, CCSS President Alvaro Ramos told the media that 30 of the 1,500 servers owned by the CCSS were impacted by the attack.[2]
Costa Rican President, Rodrigo Chaves had recently declared a state of emergency in response to the Conti attack which impacted 27 government institutions. Following the attack the Conti group began taking down infrastructure and shutting down their operation. In the process of shutting down security experts believe that the group has partnered with other known ransomware groups including the Hive ransomware groups. Other groups that are believed to be affiliated with the Conti group include HelloKitty, AvosLocker, BlackCat, and BlackByte among others.[3]
The piggyback attack on the Costa Rican government begs the question: did the Hive attack made use of the Conti groups existing entry point. According to AdvIntel, the Conti group has been working with Hive since November 2021 and Hive has been using initial access provided by Conti to initiate attacks.
Both Conti and Hive have carried out numerous successful ransomware attacks to date, and the collaboration between these threat actors demands attention from cyber security professionals. The Hive ransomware group has previously shown there adaptivity and ability to adopt tactics of other successful groups including BlackCat. As Conti affiliates expand into other ransomware outfits including Hive, we can expect the Hive group to have a busy Summer.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee. gotowebinar. com/register/3702558539639477516
[1] https://www.bleepingcomputer.com/news/security/costa-rica-s-public-health-agency-hit-by-hive-ransomware/
[2] https://www.reuters.com/world/americas/latest-cyberattack-costa-rica-targets-hospital-system-2022-05-31/
[3] https://www.bleepingcomputer.com/news/security/conti-ransomware-shuts-down-operation-rebrands-into-smaller-units/
Comments