Hive attacks La Caja Costarricence de Seguro Social (CCSS)

Incident Date:

May 31, 2022

World map



Hive attacks La Caja Costarricence de Seguro Social (CCSS)


La Caja Costarricence de Seguro Social (CCSS)




San Jose, Costa Rica

, Costa Rica

First Reported

May 31, 2022

The Hive Ransomware Gang Attacks Costa Rican Social Security Fund

The Hive ransomware gang has attacked La Caja Costarricence de Seguro Social (CCSS). CCSS has confirmed that on Tuesday, May 31, it fell victim to a cyberattack, which is currently under investigation. According to reports, the incident did not impact the databases of EDUS (Unique Digital Health File), SICERE (Centralized Collection System), payrolls, and pensions. As of now, the website is unavailable, and the CCSS (Costa Rican Social Security Fund) has taken down all systems as a preventive measure while conducting necessary analyses to restore critical services.

Authorities have stated that they are collaborating with the Ministry of Science and Technology and other entities to recover from the attack. In the meantime, 136 medical centers have established telephone lines to address inquiries and assist users while the systems remain disrupted. Additionally, the Pensions and Credit platform is temporarily out of service.

Although the CCSS has not officially confirmed whether the incident involved ransomware, the BleepingComputer website revealed that it obtained access to the ransom note left by the criminals. It has been confirmed that the attack was carried out by the Hive ransomware group, which operates under the ransomware-as-a-service (RaaS) model. The group has been active since mid-2021 and has targeted multiple victims in various Latin American countries, including Brazil and Colombia.

Immediate Response to the Attack

Apparently, during the CCSS attack, employees were instructed to shut down their computers and disconnect them from the network after printers started printing at the beginning of the attack. This cyber attack on the Costa Rican Social Security Fund follows the Conti ransomware attack on the Costa Rican Ministry of Finance in April. The Ministry of Finance incident subsequently affected at least seven other public entities, resulting in the disruption of critical services. The situation led the President to declare a state of national emergency due to the wave of attacks.

Extortion and Data Exfiltration

The attackers exfiltrated data before encrypting files on the compromised systems and demanded a $10 million ransom, which the ministry chose not to pay. As part of their extortion strategy, the attackers published a significant number of stolen files on their website.

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.