Hive ransomware

All computer systems on the network of Costa Rica's public health service (known as Costa Rican Social Security Fund or CCCS) are now offline following a Hive ransomware attack that hit them this morning.

Hive, a Ransomware-as-a-Service (RaaS) operation active since at least June 2021, has been behind attacks on over 30 organizations, counting only the victims who refused to pay the ransom and had their data leaked online.

BleepingComputer was able to confirm that Hive ransomware was behind today's attack after seeing one of the ransom notes.

The CCCS publicly acknowledged the attack three hours ago in a statement issued on Twitter, saying that the attackers hacked their way into its network "in the early hours of Tuesday."

While an investigation is still ongoing, the Costa Rican government agency says that citizens' health and tax information stored in the EDUS (Unified Digital Health) and the SICERE (Centralized Tax-Collection System) databases was not compromised.

Employees reported [123] that they were told to shut down their computers and unplug them from the networks after all the printers on the govt agency's network began printing when the attack started.

Some also shared video proof showing stacks of dozens of printed pages filled with gibberish ASCII-based text.

CCCS is now working on restoring the affected systems and critical services, but, so far, it is impossible to determine how long it will take until systems are back up.

CCCS employee tweet

Attack follow a streak of Conti hacks

The incident comes after Costa Rica declared a national emergency following Conti ransomware attacks that hit multiple government bodies, including the Costa Rican Social Security Fund (CCSS).

The list of government entities hit by Conti affiliates also includes the country's Ministry of Finance, its Ministry of Labor and Social Security (MTSS), the Ministry of Science, Innovation, Technology, and Telecommunications, and the Social Development and Family Allowances Fund (FODESAF).

"The attack that Costa Rica is suffering from cybercriminals is declared a national emergency and we are signing this decree, precisely, to declare a state of national emergency throughout the public sector of the Costa Rican State and allow our society to respond to these attacks as criminal acts," said the Costa Rican President when signing the Executive Decree No. 42542 on May 8.

The Conti gang has demanded a $10 million ransom from the Costa Rican Ministry of Finance which the government declined to pay.

The U.S. government is now offering rewards of up to $15 million to anyone who can provide information that can lead to the identification and arrest of Conti ransomware's leadership and operators.

The Conti - Hive link

While Conti is now slowly shutting down operations, it has partnered with numerous well-known ransomware operations, including Hive and HelloKitty, AvosLocker, BlackCat, BlackByte, and others.

Its members have now splintered into smaller semi-autonomous and autonomous groups that have infiltrated the other RaaS groups.

They've also created independent groups focused on data exfiltration and not data encryption (e.g.,  KarakurtBlackByte, and the Bazarcall collective).

Since Conti members have joined Hive's ranks, the groups have begun leaking the victims' data on both leak blogs although they're denying there's any link between the two gangs.

Hive ransomware leak page
Hive ransomware leak page (BleepingComputer)

"AdvIntel identified and confirmed with a high level of certainty that Conti has been working with HIVE for over half a year - since at least November 2021. We have identified extended evidence of HIVE actively using both the initial attack accesses provided by Conti and the services of Conti's pentesters," Advanced Intel's Yelisey Boguslavskiy told BleepingComputer.

"The same individuals were working for both Conti and HIVE, as it is seen in the same victims appearing on shame blogs of both HIVE and Conti simultaneously. HIVE currently serves as one of the negotiation escape roots for Conti."

"Conti members continue negotiations with the victims that they have previously breached under the HIVE brand. This gives them an opportunity to get paid, as, unlike Conti, HIVE is not associated with the direct support of the Russian invasion of Ukraine, despite the fact that the ransom paid to HIVE is most likely received by the same individuals within Conti who claimed the group's collective alignment to the Russian government."

Thx for news tip: Brett Callow

Related Articles:

US offers $10 million for tips on Hive ransomware leadership

INC Ransom threatens to leak 3TB of NHS Scotland stolen data

US offers up to $15 million for tips on ALPHV ransomware gang

KuCoin charged with AML violations that let cybercriminals launder billions

Ransomware as a Service and the Strange Economics of the Dark Web