Costa Rica Government Ransomware Attack
April – May 2022
Executive Summary
Conti ransomware group attacked multiple Costa Rican government ministries, encrypting systems at the Ministry of Finance, disabling tax and customs platforms, and demanding a $20M ransom (later reduced to $10M). Costa Rica declared a national emergency — the first country to do so in response to a ransomware attack. A follow-on attack attributed to HIVE targeted the social security healthcare system weeks later.
Why This Matters
Costa Rica showed that ransomware can effectively disable a nation's fiscal and health systems, forcing the first-ever national emergency declaration over a cyber attack and elevating ransomware to a sovereign-level threat.
Escalation Profile
7-Dimension Profile
Escalation Ladder
Phases
Initial government network compromise
Conti gained access to the Ministry of Finance network, exfiltrating data and pre-positioning for encryption.
Multi-ministry encryption
Tax collection, customs, and import/export systems taken offline; ~672 GB of government data exfiltrated and partially leaked.
National emergency declaration
President Chaves declared a national emergency; HIVE subsequently attacked the social security health system (CCSS), disrupting hospital operations.
Threshold Crossings
- •First country to declare a national emergency over ransomware
- •Demonstrated that ransomware can functionally incapacitate the fiscal apparatus of a nation-state
Restraint Factors
- •Attackers offered decryption for ransom — coercive but not purely destructive
- •No reported impact on life-safety systems
Attribution Assessment
Threat actor mapped to Russia (criminal, not directly state-sponsored per public assessments) based on infrastructure analysis, malware attribution, and operational patterns.
- •US offered $10M reward for information on Conti leadership
- •US and allied assistance to Costa Rica for incident response
- •Counter Ransomware Initiative (CRI) coalition cited Costa Rica as motivating case
Sources: Costa Rica Presidential Decree of National Emergency; US State Department: Reward Offer for Conti Leadership; CISA: Conti Ransomware Advisory AA21-265A (updated)
No dedicated journalistic sources in dataset. See sources section for full references.
“High Confidence” reflects available public evidence. All assessments carry inherent uncertainty and should be read alongside source material.
Unpeace Position
Unpeace Score
Composite severity rating on the peace–conflict spectrum
Contributing Dimensions
Coercive Function
Ransomware
Denial of access through encryption — coercive value through economic extortion and operational disruption.
Observed coercive effects
- •First country to declare a national emergency over ransomware
- •Demonstrated that ransomware can functionally incapacitate the fiscal apparatus of a nation-state
Entanglement Risk
Sectors affected
Countries / regions
Impact summary
Tax and customs systems offline for weeks; national emergency declared; healthcare disrupted by follow-on attack.
Infrastructure Meaning
Malware / tooling
Capability profile
Tax and customs systems offline for weeks; national emergency declared; healthcare disrupted by follow-on attack.
3 ATT&CK techniques mapped — see ATT&CK mapping below.
Governance Analysis
Governance Flags
Norms invoked
- •Protection of government services and public welfare infrastructure
- •Responsible state behavior: preventing criminal groups from operating with impunity
Policy responses
- •US offered $10M reward for information on Conti leadership
- •US and allied assistance to Costa Rica for incident response
- •Counter Ransomware Initiative (CRI) coalition cited Costa Rica as motivating case
Regulatory changes
- •Costa Rica accelerated national cybersecurity strategy and institutional reforms
- •Reinforced international momentum for the Counter Ransomware Initiative
Governance impact assessment
Made the strategic threat of ransomware to sovereign governance undeniable, strengthening the case for treating ransomware groups as national security threats rather than mere criminal nuisances.
Sources
Costa Rica Presidential Decree of National Emergency
US State Department: Reward Offer for Conti Leadership
CISA: Conti Ransomware Advisory AA21-265A (updated)
Sources listed reflect publicly available materials used to construct this case entry. Inclusion does not imply endorsement. Where no URL is provided, the source may be found via its title and date.
Related Cases
WannaCry
May 2017 · North Korea
WannaCry exposed how a leaked intelligence exploit can cascade into a global healthcare crisis, sharpening the policy debate on vulnerability disclosure and the duty to protect civilian systems.
Change Healthcare
February 2024 · Russia (criminal, possible state nexus)
Change Healthcare demonstrated that a single ransomware attack on a dominant healthcare intermediary can cascade into a national healthcare crisis, making the case for treating healthcare claims infrastructure as critical national infrastructure.
Colonial Pipeline
May 2021 · Russia (criminal, not directly state-sponsored per US assessment)
Colonial Pipeline proved that criminal ransomware can trigger national-level infrastructure disruptions, collapsing the boundary between cybercrime and national security and forcing mandatory regulation of pipeline cyber defenses.
Exchange/Hafnium
January – March 2021 · China
Hafnium demonstrated how a targeted espionage operation can metastasize into a mass-compromise event affecting tens of thousands, and prompted the widest coalition cyber attribution ever directed at China.