Reviewing The Costa Rica Ransomware Attack

Industry: Government | Level: Tactical | Source: AdvIntel

AdvIntel recapped the events of the ransomware attack against Costa Rica's government, resulting in a state of emergency issued on May 8th, 2022. The campaign was revealed as a smokescreen from Conti ransomware to generate publicity and attempt to quietly shut down its operations. Analysis of the attack identified initial access was obtained on April 11th, 2022, through compromised VPN credentials. The intrusion spanned five days exfiltrating data and executing the ransomware, "the massive data exfiltration prolonging the exploitation operation prior to the ransomware deployment." Tools and exploits utilized in the attack included Cobalt Strike, AdFind, Mimikatz, PsExec, Rclone, and ZeroLogon CVE-2020-1472.

Anvilogic Scenario:

• Cobalt Strike & Discovery Activity Leads to Data Compromise

Anvilogic Use Cases:

• Cobalt Strike Beacon
• Adfind Commands
• ZeroLogon CVE-2020-1472

‍