Ransomware Attacks on Costa Rican Government Institutions

Starting on the night of April 17, 2022, a series of ransomware attacks targeted nearly 30 government institutions in Costa Rica. The affected entities included the Ministry of Finance, the Ministry of Science, Innovation, Technology, and Telecommunications (MICITT), the National Meteorological Institute, RACSA (the state internet service provider), the Costa Rican Social Security Fund (CCSS), the Ministry of Labor and Social Security, the Fund for Social Development and Family Allowances, and the Administrative Board of the Municipal Electricity Service of Cartago.

The Conti Group, known for its ties to Russia, claimed responsibility for the initial wave of attacks. They demanded a ransom of $10 million to prevent the release of sensitive information stolen from the Ministry of Finance, which could include tax returns of citizens and data of companies operating in Costa Rica. As a result, the government had to shut down computer systems used for tax declarations, import-export control, and management. This led to substantial daily losses of around $30 million to the productive sector. Additionally, the web pages of the Ministry of Science, Innovation, Technology, and Telecommunications were taken offline.

Costa Rica sought technical assistance from various countries, including the United States, Israel, Spain, and Microsoft, to address the cyber attack. The attack involved infecting computer systems with ransomware, defacing web pages, stealing email files, and targeting the Social Security human resources portal, as well as the official Twitter account.

International Support and Rewards for Information

On May 6, 2022, the United States government, through the FBI, offered a reward of $10 million for information leading to the identification of individuals in leadership positions within the Conti Group. An additional $5 million reward was offered for information leading to the capture or conviction of individuals involved in aiding or conspiring to carry out Conti ransomware attacks.

Response from Costa Rica's Government

On May 8, 2022, Costa Rica's newly elected president, Rodrigo Chaves Robles, declared a state of national emergency in response to the cyber attacks, considering them acts of terrorism. He described the situation as a state of war and claimed evidence of internal assistance to the Conti Group, referring to those individuals as "traitors" and "filibusters."

Further Attacks by the Hive Ransomware Group

In the early hours of May 31, 2022, the Hive Ransomware Group launched an attack against the Costa Rican Social Security Fund, forcing the institution to shut down critical systems, including the Unique Digital Health File and the Centralized Collection System. The former contains sensitive medical information of patients utilizing Social Security services, while the latter is responsible for collecting insurance fees from the population.