The global impact of ransomware attacks in Latin America

In the realm of cybersecurity, a prevailing emphasis on localised cyberattacks, coupled with language constraints and algorithmic bias, may lead individuals in the West to notice a lack of attention and discourse surrounding cyberattacks in other regions. This is despite there being a global aspect to many attacks and a large sphere of impact.

An example of this is in Latin America, where countries have experienced major cyber-attacks in recent years, causing disruption to various sectors.

A recent incident took place on 26 May, when the Chilean Army fell victim to a ransomware attack, resulting in the shutdown of all computer systems and preventing remote access via VPN. The Army confirmed that while their critical systems remained unaffected, they took precautionary measures by isolating the network, conducting audits, and eventually restoring the service. The perpetrator behind the attack turned out to be a Chilean soldier, who was subsequently accused of violating computer crime laws.

This recent incident did not cause large-scale disruption to the country, and according to the National Cyber Security Centre's (NCSC) criteria, would fall between a Category 4 or 5 incident, when a cyberattack has a serious or considerable impact on the wider or local government.

In contrast, the larger region has certainly witnessed devastating ransomware attacks that have brought countries to their knees.

One of the most pertinent examples of this was Costa Rica in April 2022. During this time, the Russian cyber OCG (Organised Criminal Group), Conti, carried out an extensive ransomware attack on 27 bodies in Costa Rica's government, commencing with the Ministry of Finance. These attacks occurred over several weeks, suggesting that the group spent several months infiltrating Costa Rica's government systems to execute the attack. Their strategy involved encrypting servers and disconnecting the entire Ministry. After this, Conti demanded a ransom of USD 20 million, which the government refused.

Notably, Conti asserted that they had assistance from insiders within the Costa Rican government, although this claim was never substantiated. However, considering the significant financial resources these cyber OCGs possess, it is plausible that they would bribe officials. Importantly, ransomware groups often employ exaggerated threats and claims, such as that of insiders, to create a sense of urgency and compel the victim to pay the ransom. Instead of payment, the government initiated a manhunt to apprehend the group.

Another consideration was that the attack took place directly after Costa Rica's presidential election, meaning the group likely timed their attack to take advantage of the transition process.

In low-income countries, it is crucial for industry stakeholders to be vigilant about post-election disruption, not only for potential risks like civil unrest but also for an elevated threat of cyber-attacks targeting state institutions. This vulnerability becomes an additional risk that cybercriminals may exploit, making it imperative to recognise and address throughout the risk assessment process.

The result of the attack meant that large swathes of Costa Rica's digital infrastructure were damaged for months.

The systems most affected included online tax collection, disrupting public healthcare and the pay of some public sector workers. In addition, although the ransom was USD 20 million, the combined impact from the loss of productivity in the private and public sectors was estimated to be around USD 30 million per day.

To call the incident disastrous would be an accurate representation, as it resulted in Costa Rica becoming the world's first nation to declare a state of national emergency due to a cyber-attack.

Although the origins of this attack can be traced back to the digital realm, its trajectory was influenced by political factors in the physical world. The hacker group involved was driven by geopolitical rivalries, and their actions were further shaped by the Russian invasion of Ukraine on 24 February 2022.

Shortly after the invasion, Conti publicly declared their support for the Russian invasion, by promising retaliatory attacks on anyone who targeted Russian assets. However, a significant turn of events occurred when one of the group's insiders, an anonymous supporter of Ukraine, in an act of retribution betrayed them by leaking their toolkit, internal chats, and other confidential information online, soon after Conti’s public declaration. This leak had a profound impact, causing Conti's footprint in the cyber sphere to diminish and contributing to the demise of their attack campaign.

While the leak occurred before the attack on Costa Rica, it is likely that the attack was already in its planning stages at the time of the leak. As such, while Conti proceeded with the attack, they were operating in an already weakened state. Cyber experts have also commented that the dissolution of the group may have not been directly from the leak, but that it accelerated existing tensions that led to the group's demise. Importantly, the public declaration of support for Russia also decreased the group’s financial ability as entities which may have paid ransoms before no longer did due to the risk of sanctions.

The broader impact of the attack meant that Costa Rica’s customs systems were forced to use paper and email, delaying the whole process and of course, had a dire financial impact.

As a result, the country’s international trade was halted and naturally, companies bore the brunt of this. Examples included containers being left for days while dealing with the extended custom period, meaning a company would have to pay additional fees.

To make matters worse, Costa Rica was shortly hit with another attack by the ransomware gang Hive, which was also linked to Conti, and targeted the social services agency, severely disrupting the healthcare system.

The consequences for businesses affected by attacks of this nature extend beyond immediate disruptions and encompass long-term processes. These include managing relationships with the public, suppliers, and customers, all of whom are likely to become aware of such a large-scale attack. As a result, customer confidence, in the long run, can be significantly undermined, leading to adverse effects on profits.

Costa Rica’s recovery process from the ransomware attack lasted for several months, placing the incident within Category 2 of the NCSC’s criteria, where a cyberattack has a serious impact on the central government.

Like other ransomware attacks, the only means to decrypt the data was to obtain the key from the attackers. In the absence of this key, systems had to be completely reconstructed, and exhaustive scans of backups were conducted to ensure the complete elimination of the original malware.

Although national governments do not tend to be the target of ransomware attacks, the Conti/Hive incidents were standout cases that showed other cyber gangs that it is possible to hold entire nations to ransom.

This will continue to be a problem for low-income countries where there is less emphasis on spending on defensive capabilities and thus raising their cyber resilience. This results in low-income countries having to rely on larger international players – cyber powers – to provide the requisite training, capabilities, and strategy for better cyber defence.