Costa Rican president begins tenure with ransomware national emergency declaration

Written by AJ Vicens

The new president of Costa Rica declared a national emergency over the weekend as fallout continues from a late-April ransomware attack.

President Rodrigo Chaves Robles, who began a four-year term as president Sunday after winning the country’s April 4 election, signed the declaration on May 8 as one of his first official acts, according to local news outlet Amelia Rueda. The executive decree reads, in part, that Costa Rica is “suffering from cybercriminals, cyberterrorists” and that the decree allows “our society to respond to these attacks as criminal acts.”

Somebody calling themselves “unc1756” using the Russian-based Conti ransomware platform claimed responsibility for the April 17 attacks in a post on the Conti dark web data portal. The post indicates that 97% of the stolen data has been published so far, totaling more than 672 gigabytes of information.

The post also blames the government of Costa Rica for not paying the original $10 million ransomware demand, which outgoing President Carlos Alvarado said was an attempt to “threaten the country’s stability in a transitional situation.”

The hacker message reads: “It is impossible to look at the decisions of the administration of the President of Costa Rica without irony … All this could have been avoided by paying you would have made your country really safe, but you will turn to Bid0n (sic) and his henchmen, this old fool will soon die.” The poster went on to say the purpose of the attack was “to earn money” and “in the future I will definitely carry out attacks of a more serious format with a larger team, Costa Rica is a demo version.”

Screenshot of the message posted along with the Costa Rican files as of May 9, 2022.

Shortly after the Costa Rica attacks, nearly 9.5 gigabytes of data taken from Peru’s intelligence agency were posted to the Conti leak site. One of the file names in that dump referenced “unc1756,” but it’s not clear if the same people were behind both attacks.

Screenshot of the purported Peruvian intelligence agency files on Conti’s data portal.

The term…