On April 17, 2022, the Conti ransomware group began attacking Costa Rica's government institutions. Over the following weeks, the attack would cripple the country's Ministry of Finance, disrupt tax collection and customs operations, knock out multiple government agencies, and ultimately lead newly inaugurated President Rodrigo Chaves to declare a national state of emergency on May 8, 2022.
It was the first time in history that a country declared a national emergency in response to a cyberattack.
The Attack
Conti's assault on Costa Rica was not a single incident but a sustained campaign targeting multiple government entities:
Ministry of Finance — The most severely affected institution. Tax collection systems, customs processing, and government payment systems were knocked offline. Importers and exporters could not process goods through customs, causing backlogs at ports. Government employees faced payroll disruptions.
CCSS (Social Security Fund) — Attacked separately by the HIVE ransomware group (which had connections to Conti affiliates), disrupting healthcare systems. The CCSS attack forced hospitals to revert to paper records and manual processes.
Ministry of Science, Innovation, Technology, and Telecommunications (MICITT) — Systems compromised and data stolen.
National Meteorological Institute (IMN) — Systems taken offline.
Costa Rican Social Security Fund — Payroll and benefits systems disrupted.
Several other government agencies experienced varying degrees of disruption.
Conti claimed to have stolen 672 GB of data from Costa Rican government systems and published portions on their leak site. The group initially demanded $10 million in ransom, later increasing it to $20 million when Costa Rica refused to pay.
Costa Rica's Response
President Chaves, who took office on May 8, declared the national emergency on his first day. His government took a firm stance: they would not pay the ransom. Chaves stated publicly: "We are at war, and that is not an exaggeration."
The decision not to pay was principled but costly. The Ministry of Finance's systems remained degraded for weeks. Tax collection was disrupted, customs processing was manual, and government payroll required workarounds. The economic impact was estimated in the tens of millions of dollars.
The US government provided technical assistance, with the FBI, CISA, and the US Secret Service supporting Costa Rica's incident response. The State Department offered a $10 million reward for information leading to the identification of Conti leadership and a $5 million reward for information leading to the arrest of Conti affiliates.
Why Costa Rica?
Several factors made Costa Rica a target:
Timing. The attack coincided with a presidential transition, a period when institutional attention is divided and response capacity may be reduced.
Conti's impending dissolution. By April 2022, Conti was in the process of shutting down. The group had suffered massive internal leaks — a Ukrainian researcher had published Conti's internal chat logs in February 2022, exposing the group's operations, membership, and finances. The Costa Rica attack may have been a final, high-profile operation designed to generate publicity and one last potential payment.
Soft target. Costa Rica's government IT infrastructure, while more developed than many developing nations, lacked the cybersecurity investment and incident response capability of larger countries. The government had limited dedicated cybersecurity staff and relied heavily on legacy systems.
Maximum pressure. Attacking government tax and customs systems creates immediate, visible economic impact that affects the entire country. This creates political pressure to pay — or at least generates publicity that Conti could leverage.
Conti's End and Evolution
The Costa Rica attack occurred during Conti's final months. After the internal chat leaks in February 2022, the group began fracturing:
- Conti officially shut down in May 2022, around the same time as the Costa Rica operation.
- Members dispersed to other ransomware operations, including Royal, Black Basta, BlackByte, and others.
- The Conti brand was abandoned, but the people, tools, and techniques continued under new names.
This is a recurring pattern in the ransomware ecosystem: groups dissolve and reconstitute under new brands. Sanctions, law enforcement pressure, and internal conflicts drive rebranding, but the underlying criminal infrastructure persists.
National Security Implications
The Costa Rica attack established that ransomware can constitute a national security threat:
Government functionality was degraded. A government that cannot collect taxes, process customs, or pay employees is a government with diminished sovereignty.
Economic impact was nationwide. The customs disruption affected every business that imported or exported goods. The tax system disruption affected government revenue. The healthcare system disruption affected patient care.
International assistance was required. Costa Rica needed external help from the US and other partners to respond, demonstrating that many countries lack the cyber defense capability to handle sophisticated attacks independently.
The response set a precedent. By declaring a national emergency, Costa Rica legitimized the classification of ransomware as a national-level threat, potentially enabling different legal authorities and resource allocation for cybersecurity.
Lessons for All Organizations
- Ransomware targeting is expanding. No entity — not governments, not hospitals, not schools — is too small, too public-interest, or too sympathetic to be targeted.
- The cost of not paying is real but manageable. Costa Rica's refusal to pay was costly in the short term but avoided funding criminal operations and avoided establishing the precedent that attacking a government produces payment.
- Incident response capability must be pre-positioned. You cannot build incident response capacity during an incident. Plans, teams, relationships, and backup procedures must exist before an attack.
- Legacy system modernization is a security investment. The systems that were hardest hit were often the oldest, with the least security monitoring and the fewest recovery options.
How Safeguard.sh Helps
Safeguard.sh provides the continuous security monitoring and vulnerability management that helps organizations — including government entities — maintain a defensible security posture against ransomware attacks. Our platform tracks software dependencies, flags unpatched vulnerabilities, and enforces security policies across your infrastructure. By providing real-time visibility into your security posture and automated enforcement of baseline controls, Safeguard.sh helps ensure that ransomware groups like Conti find hardened targets rather than easy ones.