Fraud Management & Cybercrime , Ransomware

Costa Rican Health Agency Hit by Apparent Hive Attack

Incident Follows April Conti Attack on Multiple Costa Rican Agencies
Costa Rican Health Agency Hit by Apparent Hive Attack

Costa Rica's national public health services agency has been hit by a cyberattack allegedly launched by ransomware group Hive. The incident comes weeks after an attack reportedly carried out by another Russian-based ransomware group, Conti, targeted several Costa Rican government agencies, including the same health agency.

See Also: OnDemand | Leveraging Automation to Reduce Third Party and Supply Chain Risk in Healthcare

The health agency, Caja Costarricense de Seguro Social, or the Costa Rican Social Security Fund, CCSS, in a series of tweets and during a press briefing shown on its Facebook page on Tuesday, confirmed it had been hit by a ransomware attack in the early hours of Tuesday, May 31.

Taking Systems Offline

CCSS in its tweets says that once the ransomware was detected, the agency proceeded to take systems offline "to review and from there work on immediate solutions and lift the services as soon as possible."

The agency's Edus, Sicere, payroll and pension databases were not compromised, CCSS says in a tweet. Government authorities are doing analysis "to try to restore critical services, but it is not possible to determine when they will be in operation. … We will be reporting in a timely manner at the time they are restored," CCSS says in a tweet.

All CCSS health establishments are implementing their contingency plans to guarantee the continuity of care for patients based on their capacities and resources "with the aim of organizing services with the least possible impact," CCSS tweeted.

Also, 136 CCSS medical centers have set up a telephone line to answer questions from patients, the agency says. "The medical centers will maintain this service for the period of this emergency."

Several government agencies are coordinating and collaborating with CCSS in response to the attack, CCSS says.

Hit by Hive

Media outlet Bleeping Computer reports having seen a ransom note left by ransomware group Hive in the attack yesterday on CCSS.

The CCSS incident comes on the heels of an attack allegedly carried out in April by fellow Russian-based ransomware group Conti (see: Conti Ransomware Targets Cost Rican Government Entities).

The Costa Rican agencies targeted in that attack included the Ministry of Finance - or Ministerio de Hacienda; the Ministry of Science, Innovation, Technology and Telecommunications - or MICITT; the Instituto Meteorológico Nacional - or IMN; the Radiográfica Costarricense - or RACSA; and also a portal of CCSS.

Conti on its leak site in May claimed the group was working with "insiders" in the Costa Rican government to compromise other systems.

Costa Rican President Rodrigo Chaves Robles on May 8, his first day in office, declared a national emergency following the initial attacks (see: Conti Claims it Has Insiders in Costa Rican Government).

In those attacks, Conti reportedly initially demanded a $10 million ransom but then doubled the ransom when Costa Rica refused to pay. On May 20, Conti leaked more than 670 gigabytes of data stolen from Costa Rican government computers.

Other Attacks

Conti has been tied to dozens of attacks, including other major incidents involving the healthcare sector and government entities across the globe. That includes a ransomware attack last year on Ireland's national health system, the Health Service Executive, which caused a widespread IT disruption lasting months (see: Report Dissects Conti Ransomware Attack on Ireland's HSE).

Meanwhile, Hive also has been tied to major ransomware attacks across a number of sectors, including healthcare. Among recent healthcare sector entities allegedly hit by Hive was Fairfield, California-based Partnership HealthPlan of California, or PHC, which is the subject of at least one class action lawsuit following its attack in April. That incident resulted in PHC reporting to regulators a health data breach affecting nearly 855,000 individuals (see: 3 Health Data Hacks Affect 1.4 Million Individuals).

U.S. federal authorities in April issued an alert for the healthcare sector, warning of potential attacks by Hive (see: HHS HC3 Warns Healthcare Sector of Hive Threats).

Easy Targets?

Conti's alleged attacks in April on multiple Costa Rican government agencies appear to be a precursor to the assault reportedly carried out by Hive this week on CCSS, some experts say.

"When ransomware actors identify potentially vulnerable systems, then other affiliates are likely to hit similar targets. Vulnerabilities attract targets, and Conti proved more than one Costa Rican public sector was vulnerable," says Raj Samani, senior vice president and chief scientist at security firm Rapid7.

Groups are also likely to target sectors such as healthcare, which will yield them the greatest likelihood that ransom will be paid due to the importance and criticality of systems, he says.

"With the risk of ransomware potentially affecting if someone lives or dies, healthcare organizations are more likely to pay ransoms. However, while it might seem the simple solution to the problem, paying the ransom should be the last thing organizations do."

Group Rebranding

Threat intelligence firm Advanced Intelligence recently reported that the Russian-language criminal syndicate behind Conti ransomware had retired the brand name linked to internal fallout within the group after Conti in February briefly posted on its leak site support of Russia's Feb. 24 invasion of Ukraine (see: Conti Ransomware Group Retires Name After Creating Spinoffs).

Advanced Intelligence reports that at least some current and former members of Conti who are Ukrainian or have Ukrainian family severed ties or even leaked information from the group following the post.

Since then, Conti has forged closer alliances with some other groups, including Hive, as well as Alphv/BlackCat, AvosLocker, and HelloKitty/FiveHands, the report says.

Conti has also created multiple spinoffs by using stand-alone strains of malware the group already developed or acquired or by creating new brands, according the report.

'Wake-Up Call'

Some experts agree that some ransomware groups appear to be joining forces with one another.

"It appears that some of these ransomware gangs may be collaborating and even sharing information to other gangs in order to increase the number and severity of attacks, possibly to try and extort a higher ransom," says retired supervisory FBI agent Jason G. Weiss, an attorney at law firm Faegre Drinker Biddle & Reath LLP.

"This is a dangerous evolution in the battle against these ransomware gangs as it makes it even harder for victims to protect themselves when there is collaboration and information sharing among the cyberthreat actors."

Weiss says other governments should look at this development "as a huge wake-up call" to perform a proactive review of their critical networks, look for indicators of compromise and indicators of attack, and start hardening their networks as soon as possible.

"It appears that the Costa Rican government had some areas that were open to attack, and that Hive and Conti were able to exploit that," he says. "That also tells me that other groups are going to copy this blueprint against not just Costa Rica but other countries to see if they can exploit network weaknesses and launch their malware."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.