The Human Cost
On the morning of May 31, 2022, printers in hospitals across Costa Rica started printing ransom notes.
At San Vicente de Paul Hospital in Heredia and the Hospital of Liberia in Guanacaste, the first signs appeared just after 2:00 AM. Within hours, the CCSS — the Caja Costarricense de Seguro Social, which runs every public hospital and clinic in the country — confirmed that 759 of its 1,500 servers had been compromised. More than 10,400 computers were affected. The country's entire electronic medical records system, EDUS, went dark.
Over the following days, 30,000 medical appointments were rescheduled. Only 45% of laboratory services operated normally. Rural health centers closed. COVID-19 tracking became impossible. The prescription system went offline. Pension payments for approximately 50,000 employees were at risk.
And this wasn't even the first attack. It was the second — in less than two months.
The Timeline — What Actually Happened
The story most people know is incomplete. Here's the full sequence.
April 11, 2022
A Conti ransomware operator — identified in leaked internal communications by the codename "MemberX" — connected to the Costa Rican Ministry of Finance (Hacienda) using stolen VPN credentials. There was no multi-factor authentication on the VPN. None.
Within the first day, the attacker established more than ten Cobalt Strike beacon sessions inside the ministry's network. Over the following four days, they mapped the entire domain trust structure, extracted credentials using Mimikatz, and exploited CVE-2020-1472 — better known as Zerologon — a critical vulnerability that Microsoft had patched in August 2020. Costa Rica's systems were eighteen months behind on that single patch.
The Zerologon exploit gave the attacker access to effectively every host on the government's interconnected network. The architecture was flat — no meaningful segmentation between ministries, so one set of compromised credentials cascaded into total access.
April 12-15
The attacker exfiltrated 672 GB of data — including approximately 900 GB of tax databases and 100 GB of internal documents — uploading everything to MEGA cloud storage using Rclone. Then the ransomware detonated, encrypting systems across Hacienda.
Three critical systems went down: ATV (the online tax filing platform that every business in Costa Rica uses), TICA (the customs system that processes every import and export), and Exonet (the tax exemption platform). Customs reverted to paper. Containers sat at port for three to four extra days. The Chamber of Foreign Commerce estimated losses of $125 million in the first 48 hours alone.
April 18-21
The attack spread. MICITT's microsite was defaced. The National Meteorological Institute's email was compromised. RACSA — the state internet provider — had its internal email breached. The Ministry of Labor and FODESAF were hit. By April 22, the government's own monitoring had detected 35,000 malware communication requests, 9,900 phishing incidents, and 60,000 remote control attempts since defensive measures began.
Conti demanded $10 million. President Carlos Alvarado publicly refused to pay.
May 3-8
Seven major trade chambers jointly demanded a state of emergency, warning of potential paralysis of international trade. On May 6, the US State Department posted a $15 million bounty — $10 million for information identifying Conti's leadership and $5 million for information leading to arrests.
On May 8, Rodrigo Chaves took office as president. His first official act was signing Executive Decree No. 43542-MP-MICITT — declaring a national state of emergency due to cyberattack. Costa Rica became the first country in history to do so. The decree, normally reserved for earthquakes and hurricanes, enabled emergency procurement of cybersecurity tools without standard bidding processes.
By this point, 27 government institutions had been affected. Nine were described as severely compromised.
May 31: Then Came Hive
A separate ransomware group — Hive — struck the CCSS. The attack compromised 759 servers and 10,400 computers across approximately 1,200 hospitals and clinics. EDUS — the unified digital health record system serving the entire country — was paralyzed for roughly two months. Hive demanded $5 million in Bitcoin. Costa Rica refused.
Here's a detail that captures the state of readiness at the time: after the Conti attacks on Hacienda in April, Spain donated a security tool called microCLAUDIA to the Costa Rican government. By the time Hive hit the CCSS on May 31, fewer than 15 computers in the entire institution had it installed.
What the Technical Analysis Revealed
Advanced Intelligence (AdvIntel), the cybersecurity firm that published the definitive technical analysis of the attack, described it as "relatively unsophisticated."
That's the part most people miss. Conti didn't use zero-day exploits or nation-state tools. They used Cobalt Strike (commercially available), Mimikatz (open source), and a vulnerability that had been publicly patched for a year and a half. The attack succeeded because of basic hygiene failures that exist in the majority of organizations — in Costa Rica and globally:
- No multi-factor authentication on remote access
- A flat network with no segmentation between institutions
- Critical vulnerabilities left unpatched for over eighteen months
- No endpoint detection and response deployed across government systems
- No centralized Security Operations Center
- No dedicated cybersecurity budget
- A 2019 Contraloria General audit had already flagged critical IT vulnerabilities at Hacienda — nothing was done
AdvIntel also revealed something that changes how you think about the attack: Conti's operators expected to collect far below $1 million. The $10-$20 million demand was theater. The real purpose was likely a publicity stunt to cover Conti's planned dissolution and rebranding into smaller operations — which is exactly what happened in the weeks that followed. Costa Rica wasn't targeted because it was valuable. It was targeted because it was vulnerable.
The US Response
The FBI deployed a team on the ground within 24 hours of the initial Conti attack. In March 2023, the US announced a $25 million cybersecurity package to establish a centralized SOC at MICITT and provide training, hardware, and long-term capacity building. An additional $10 million came from the Department of Defense.
The FBI later infiltrated Hive itself in July 2022 — agents operated undercover for seven months inside the group's infrastructure, leading to Hive's dismantlement in January 2023.
What Changed — And What Didn't
The National Cybersecurity Strategy 2023-2027 was published on November 13, 2023. It has five pillars: infrastructure protection and cyber resilience, governance and coordination, legal frameworks, education and training, and international cooperation.
Some of it has been implemented. The national SOC is under construction. Over 35,000 users and 250 IT professionals have received cybersecurity training. Costa Rica's ITU Global Cybersecurity Index score improved to 15.01 out of 20 — seventh in Latin America.
But the technical measures score — the actual defensive capabilities — barely moved. From 2020 to 2024, it increased by 0.17 points. The legal frameworks are strong on paper. The training programs exist. The technical readiness of the country's infrastructure has barely improved.
A Microsoft survey of 100 Costa Rican organizations in late 2025 found that 78% plan to prioritize cybersecurity. That sounds encouraging until you read that only 55% report high board-level participation in cybersecurity decisions — meaning in nearly half of organizations, cybersecurity still isn't a leadership priority. Academic research from ULACIT found that many SMBs in the Greater Metropolitan Area had not invested in security tools at all, relying solely on pre-installed Windows Defender.
The Proof That the Lesson Wasn't Learned: RECOPE, November 2024
On November 27, 2024 — two and a half years after the Conti attacks — RECOPE (the state oil refinery) detected ransomware on its systems. The attack was attributed to RansomHub. The entry point was a phishing email. The attackers had been inside RECOPE's network for several months before activating the ransomware.
RansomHub demanded $5 million. MICITT Minister Paula Bogantes stated Costa Rica would not pay. The ransom was not paid.
Fuel distribution continued manually. The same week, the immigration authority's website went down, and Grupo Repretel (a major media company) was also hit by ransomware. MICITT confirmed at least 10 Costa Rican companies and 200 in Mexico were targeted in a coordinated 48-hour campaign.
The RECOPE attack had one positive element: it was the first real-world deployment of the US FALCON program (Foreign Assistance Leveraged for Cybersecurity Operational Needs). The US Ambassador was on the phone with Costa Rica's president within hours. A response team arrived within 36 hours and spent roughly ten days on the ground. Total cost: approximately $500,000.
The pattern repeated — phishing, dwell time, encryption. The playbook hasn't changed because the defenses haven't changed enough.
The Current Threat Landscape
Costa Rica experienced 29.1 million cyberattack attempts in the first half of 2025 alone. Check Point data from 2022 showed 1,468 attacks per organization per week — 55% above the Americas average. MICITT estimates more than 100 million attacks annually.
Costa Rica was ranked the fourth least cybersecure country globally in ProxyRack's 2025 rankings. That's a reflection not of the government's efforts — which have been substantial since 2022 — but of the gap between policy and implementation, between strategy documents and actual deployed defenses.
What This Means for Your Business
The failures that enabled the Conti attack were not exotic. No MFA. A flat network. Unpatched systems. No monitoring. No incident response plan. These are the same gaps that exist in the majority of Costa Rican businesses today.
If you run a business in Costa Rica, the question isn't whether your industry will be targeted. Tourism, financial services, healthcare, retail, professional services, real estate — every sector faces specific threats. The question is whether your defenses are materially different from the Costa Rican government's defenses in April 2022.
Here's what actually matters — not aspirational security goals, but the specific measures that would have stopped the Conti attack:
Multi-factor authentication on every remote access point
This single control would have prevented the initial breach. No MFA on the VPN was the first and most consequential failure.
Network segmentation
If Hacienda's network had been segmented, the attacker couldn't have pivoted from the Finance Ministry to customs to tax exemptions to other ministries. Contain the blast radius.
Patch critical vulnerabilities within 48 hours
Zerologon was patched in August 2020. The attack happened in April 2022. Eighteen months is not a patching cycle — it's negligence.
Endpoint detection and response on every device
Not antivirus. EDR. The difference is the ability to detect lateral movement, credential theft, and data exfiltration — everything Conti did inside the network for five days before anyone noticed.
Tested offline backups
Costa Rica's recovery took months because backup strategies were inadequate. Test your backups. Test them again. Test restoring from them. If you've never tested a restore, you don't have backups — you have hope.
An incident response plan that someone has actually rehearsed
The 2019 Contraloria audit flagged the problems. The government had warnings. What it didn't have was a tested plan for what to do when warnings became reality.
Costa Rica's 2022 experience proved that cyberattacks don't just damage systems. They delay surgeries. They strand containers at port. They freeze government payrolls. They paralyze a country's tax collection for months.
The Conti group is gone — dissolved, rebranded, scattered into successor operations. But RansomHub, the group that hit RECOPE in 2024, uses the same playbook. So does every ransomware operator in the world. They're scanning for the same vulnerabilities. They're sending the same phishing emails. They're looking for the same flat, unpatched, unmonitored networks.
The question for every Costa Rican business in 2026: are your defenses any different from Hacienda's in April 2022?
Not sure where your vulnerabilities are?
A security assessment identifies gaps before attackers do. We evaluate your environment against the same failures that enabled Costa Rica's most damaging cyberattacks — and provide a concrete remediation roadmap.
Schedule a ConsultationRelated Reading
Banking Fraud in Costa Rica: 668% Growth, 38 Victims Per Day
How electronic fraud exploded in Costa Rica and what the new banking fraud law means for your business.
AI for Costa Rican Businesses: Beyond the Hype
What's actually working for Costa Rican SMBs, from WhatsApp chatbots to tax compliance automation.