Details have emerged on how the Conti ransomware gang breached the Costa Rican government, showing the attack's precision and the speed of moving from initial access to the final stage of encrypting devices.
This is the last attack from the Conti ransomware operation before the group transitioned to a different form of organization that relies on multiple cells working with other gangs.
On April 11, 2022, Conti began their last incursion under this brand after gaining initial access to the Costa Rica government’s network and engaging in reconnaissance activity.
A report from cyber intelligence company Advanced Intelligence (AdvIntel) details the Russian hackers’ steps from initial foothold to exfiltrating 672GB of data on April 15 and executing the ransomware.
The threat actor entry point was a system belonging to Costa Rica’s Ministry of Finance, to which a member of the group referred to as ‘MemberX’ gained access over a VPN connection using compromised credentials.
Advanced Intelligence CEO Vitali Kremez told BleepingComputer that the compromised credentials were obtained from malware installed on the initial device compromised on the victim network.
The researchers say that Conti operators leveraged Mimikatz to run a DCSync and Zerologon attack that gave them access to every host on Costa Rica’s interconnected networks.
Stealing the data was possible using the Rclone command-line program that can manage files on multiple cloud storage services. Conti used this to upload data to the MEGA file hosting service.
Full article at https://www.bleepingcomputer.com/news/security/how-conti-ransomware-hacked-and-encrypted-the-costa-rican-government/
#conti #ransomware #costarica #government #VitaliKremez #AdvIntel #yokdata #blog