The Conti ransomware hacked and encrypted the Costa Rican government.

This is the last attack from the Conti ransomware operation before the group switched to a new organisational structure that relies on multiple cells collaborating with other gangs.

A report details the Russian hackers’ steps from establishing a foothold to stealing 672GB of data and launching the ransomware on April 15.

According to the researchers, Conti operators used Mimikatz to launch a DCSync and Zerologon attack that granted them access to every host on Costa Rica’s interconnected networks.

Conti installed the Atera remote access tool on hosts with low user activity and administrative privileges to ensure they don’t lose access if defenders detect the Cobalt Strike beacons.

The attackers ping the entire network and re-scan the network domain trusts, using enterprise administrator credentials with ShareFinder to compile a list of all corporate assets and databases.

According to researchers, the ransom demand from the Conti group was far less than $1 million USD.

Conti executives shut down the operation in June and declared that the brand no longer existed.

The cybercriminal syndicate continues to exist, albeit under a different organisation, with its members dispersed across other ransomware operations.