{
	"id": "afbc2a97-23bf-4735-b4be-efe7b5637f97",
	"created_at": "2026-04-06T00:13:14.384408Z",
	"updated_at": "2026-04-10T03:20:39.408542Z",
	"deleted_at": null,
	"sha1_hash": "ab107dfe972b1aef2f705d745f84c3ee569f65b9",
	"title": "Son of Conti: Ransomware tries its hand at politics",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 135144,
	"plain_text": "Son of Conti: Ransomware tries its hand at politics\r\nBy Dina Temple-Raston\r\nPublished: 2023-01-12 · Archived: 2026-04-05 16:48:21 UTC\r\nIt has been a busy spring for the Russian-speaking ransomware group Conti.\r\nAfter an unprecedented leak of its internal chat logs earlier in the year that had experts predicting the group’s\r\ndemise, Conti, or at least some subset of it, came back with a vengeance. \r\nIn April it attacked Costa Rica, hacking into dozens of its government agencies and encrypting key servers at the\r\nMinistry of Finance, known as the Ministerio de Hacienda. Then, a month later, another ransomware group called\r\nHIVE took aim at the nation’s health services – canceling schedules and erasing medical records. (Researchers are\r\ndivided on whether Conti, infamous for its hacks on health services during the pandemic, played a hand in that\r\noperation as well.)\r\nCosta Rica’s new President Rodrigo Chaves declared a national state of emergency in May, marking the first time\r\na national leader responded to a cyberattack the same way they might respond to a military attack or natural\r\ndisaster. \r\n\"We are at war and that is not an exaggeration,” Chaves told reporters days after taking office. \r\nConti doubled down: “We are determined to overthrow the government by means of a cyberattack,” they said.\r\n“We have already shown you all the strength and power.” \r\nConti is thought to have shut down the last of its public servers this week. But no one expects them to go away\r\ncompletely. The attack on Costa Rica has raised the specter of ransomware actors changing direction and the\r\nconcern is that the next generation of ransomware attacks – or the next generation of Conti, the Son of Conti –\r\nwill focus not just on money but on politics. \r\nClick Here spoke with Jorge Mora, Costa Rica’s former director of the Ministry of Science, Innovation,\r\nTechnology and Telecommunications (MICIT) and Mario Robles is the CEO and founder of White Jaguars, a\r\nCosta Rican cybersecurity company that helped the San José government respond to the attack.\r\nThe interview has been edited and condensed for clarity.\r\nCLICK HERE: Mr. Mora, you were with MICIT when the attack happened… what went through your mind you\r\nrealized Conti had targeted you?\r\nJORGE MORA: I was very worried. When I saw it was Conti, the same group that had attacked other countries\r\nand other institutions around the world, I was very worried. In the initial stages of the attack, Costa Rica’s Finance\r\nMinistry told us they had it under control, but it was clear they didn’t. Conti started to encrypt the ministry’s data\r\nand we struggled to understand the real impact.\r\nhttps://therecord.media/son-of-conti/\r\nPage 1 of 5\n\nMARIO ROBLES: Of course we knew about Conti and there were some alerts of potential ransomware attacks\r\nhere in Costa Rica. But people had the sense it couldn’t happen here.\r\nCH: Jorge, you left your post on May 7, just before the President Rodrigo Chaves took office. He declared a\r\nnational emergency in response to the attacks by Conti. Was that the right move?\r\nJM: Under the previous administration, we asked what’s the signal we’re sending to the international community\r\nby declaring a national emergency. We coordinated a lot with other countries, like the United States, Spain, and\r\nIsrael. We also worked with the private sector to increase the cybersecurity systems. At this moment, I don't think\r\nthe national emergency was necessary.\r\nCH: What lessons were learned from this attack by Conti?\r\nJM: Maybe the first lesson is the importance of living in a connected and digital world. There are new security\r\nchallenges. The dangers are in your house and your office because you enter a digital world. Both in the private\r\nand public sectors, we need to increase the budget in Costa Rica to protect digital systems and boost education\r\nabout cyber security because people don’t know how to protect themselves online.\r\nMR: The problem is more fundamental. Costa Rica doesn't have enough resources for enforcing or auditing\r\ninstitutions. So we're talking about a group of people, less than five people handling cybersecurity controls in\r\nmore than 300 institutions. That's crazy.\r\nCH: Before Conti went after Costa Rica, how prepared do you think the country was for this kind of attack?\r\nJM: We worked a lot with the European Union in cybersecurity training, and with IT teams in the public sector\r\nover the last couple of years. So, we always told the Costa Rican government that these kinds of incidents were a\r\nprobability, and we need to work to reduce the risk but they didn’t listen. \r\nCH: Hackers struck again in May, but this time they targeted the Costa Rican Social Security fund, which\r\nmanages the country’s public health system and pension checks. Some people think Conti was involved or at least\r\nworked with another group to launch that attack… what was your reaction when that news came, Mario?\r\nMR: To be honest, that’s the attack that scares me the most because it affected the Costa Rican people directly. At\r\nthe moment, for instance, you don't have a way to know your healthcare records. People say they were waiting for\r\nsurgery for more than a year. And right now the appointment schedule is just lost. Medical records are blocked or\r\nare not available. So there is no way that doctors can see the historical information for treating a new patient. I\r\nthink that’s critical.\r\nCH: So why Costa Rica?\r\nJM: One hypothesis is that Costa Rica had the ability to pay and it was vulnerable. There is also reason to believe\r\nthat Conti had shifted its focus to the region. We think they had been in contact with other cyber gangs in the\r\nregion… particularly in Peru… and we think that played a role. \r\nMR: I think it is about relationships and geo-politics. Costa Rica may have also been targeted because of its strong\r\nties to the United States. Many U.S. companies are here and we’ve been very public about encouraging the nation\r\nhttps://therecord.media/son-of-conti/\r\nPage 2 of 5\n\nto have a strong relationship with the U.S. So, for a Russian group trying to hit a small country in Central\r\nAmerica, it makes sense that we would be targeted and that it would be us.\r\nCH: Do you think we’re seeing the beginning of a new trend – country extortion instead of more run-of-the-mill\r\nransomware attacks? Do you think Costa Rica will be hit again?\r\nJM: Yes, I think we are going to have more incidents in the future. At this moment, Costa Rica doesn’t have\r\nenough of a budget to protect all the institutions, and we have a digital divide in public situations. So, these two\r\nsituations make us vulnerable. We need to try to work to reduce this risk as much as possible. We need to prepare\r\nwith the backups, communication and cybersecurity strategy plans. We also need to increase international\r\ncollaboration. For example, the United States helped us a lot by offering a $10 million reward [for any information\r\nleading to the arrest of leaders of Conti].  \r\nMR: If we get hit again, I don’t think it's going to be shocking for the people here. They're kind of getting used to\r\nit. It's bad to say that, but I think it's what's happening. They’ve gotten kind of numb. \r\nCH: Do you think Conti still exists? \r\nMR: Um. I think they do. They just say they are disbanding the group, but I'm, I'm not completely sure…I don't\r\nthink they're going to stop this. So they're going to come back with another name. I don't think they're going to\r\nstop.\r\nhttps://therecord.media/son-of-conti/\r\nPage 3 of 5\n\nDina Temple-Raston\r\nis the Host and Managing Editor of the Click Here podcast as well as a senior correspondent at Recorded Future\r\nNews. She previously served on NPR’s Investigations team focusing on breaking news stories and national\r\nsecurity, technology, and social justice and hosted and created the award-winning Audible Podcast “What Were\r\nYou Thinking.”\r\nhttps://therecord.media/son-of-conti/\r\nPage 4 of 5\n\nSean Powers\r\nis a Senior Supervising Producer for the Click Here podcast. He came to the Recorded Future News from the\r\nScripps Washington Bureau, where he was the lead producer of \"Verified,\" an investigative podcast. Previously, he\r\nwas in charge of podcasting at Georgia Public Broadcasting in Atlanta, where he helped launch and produced\r\nabout a dozen shows.\r\nSource: https://therecord.media/son-of-conti/\r\nhttps://therecord.media/son-of-conti/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://therecord.media/son-of-conti/"
	],
	"report_names": [
		"son-of-conti"
	],
	"threat_actors": [],
	"ts_created_at": 1775434394,
	"ts_updated_at": 1775791239,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ab107dfe972b1aef2f705d745f84c3ee569f65b9.pdf",
		"text": "https://archive.orkl.eu/ab107dfe972b1aef2f705d745f84c3ee569f65b9.txt",
		"img": "https://archive.orkl.eu/ab107dfe972b1aef2f705d745f84c3ee569f65b9.jpg"
	}
}