Anatomy of a Breach

Anatomy of a Breach: Costa Rica — Conti Ransomware Forces a National Emergency Declaration

> series: anatomy_of_a_breach —— part: 161 —— target: costa_rica_government —— institutions: 27 —— demand: $20,000,000 —— response: national_emergency<span class="cursor-blink">_</span>_

Hedgehog Security 31 May 2022 13 min read
ransomware costa-rica conti national-emergency government hive series
Breach #161

27 government institutions. A national emergency declared. Ransomware brought a country to its knees.

In April 2022, Conti ransomware operators attacked Costa Rica's government, initially compromising the Finance Ministry's systems and disrupting the country's tax collection and customs processing — crippling international trade. The attack spread to 27 government institutions including the Ministry of Labour, the Ministry of Science, the Social Development Fund, and the national meteorological institute. Conti demanded $10 million in ransom, later doubled to $20 million.

On 8 May 2022, newly inaugurated President Rodrigo Chaves declared a national emergency — the first time any country had declared a state of emergency in response to a cyber attack. Chaves stated that Costa Rica was 'at war' with the Conti group. The government refused to pay. In a separate but concurrent attack, the HIVE ransomware group targeted the Costa Rican Social Security system (CCSS), forcing hospitals to revert to paper records. The dual ransomware assault — from two separate groups — demonstrated that ransomware can overwhelm an entire nation's governmental capacity simultaneously.

Ransomware as National Security Threat
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

From business disruption to national emergency.

First National Emergency for Cyber Attack
Costa Rica's national emergency declaration established a precedent: ransomware can constitute a threat serious enough to warrant emergency powers. For UK government and <a href="/blog/sector-under-the-microscope-local-government">local authorities</a>, the Costa Rica precedent means ransomware preparedness must be integrated into national resilience planning. <a href="/cyber-essentials">Cyber Essentials</a> provides the baseline. <a href="https://www.cyber-defence.io/services/incident-response">UK Cyber Defence</a> provides crisis management.
27 Institutions Simultaneously
The attack affected 27 government institutions — demonstrating that ransomware groups can systematically compromise multiple interconnected government systems. This is the same pattern seen at the <a href="/blog/anatomy-of-a-breach-hackney-council">Hackney Council</a> (2020) and <a href="/blog/anatomy-of-a-breach-hse-jbs-ransomware">Irish HSE</a> (2021) — but at national scale. <a href="https://www.socinabox.co.uk/sectors/local-councils">SOC in a Box for Government</a> provides monitoring across interconnected government systems.
Two Ransomware Groups Simultaneously
Conti and HIVE attacked Costa Rica's government concurrently — possibly coordinating, possibly independently. The prospect of multiple ransomware groups attacking a single target simultaneously compounds the challenge. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for multiple concurrent threat actor activities.
Trade and Economy Disrupted
The Finance Ministry attack disrupted tax collection and customs processing — affecting international trade and government revenue. Ransomware against financial systems has economic consequences beyond IT recovery. Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> assesses the resilience of financial and operational systems.
Lessons

Ransomware can overwhelm a nation. Is the UK prepared?

Costa Rica proved that ransomware has evolved from targeting individual organisations to threatening the functioning of entire governments. For UK local government, central government agencies, and critical infrastructure operators, the implication is clear: ransomware preparedness must be treated as a component of national resilience. Cyber Essentials establishes baseline controls. Penetration testing validates defences. SOC in a Box monitors 24/7. And UK Cyber Defence provides the crisis management capability for incidents that escalate beyond individual organisation response.

National Ransomware Resilience

Costa Rica declared a national emergency over ransomware. Is your organisation — and your sector — prepared?

<a href="/cyber-essentials">Cyber Essentials</a> establishes the baseline. <a href="/penetration-testing">Penetration testing</a> validates defences. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors 24/7. <a href="https://www.cyber-defence.io/services/incident-response">UK Cyber Defence</a> manages the crisis.

Commission a Security Assessment Next: Cash App Insider
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 30 June 2021

Anatomy of a Breach: The Irish HSE and JBS — When Ransomware Hit Healthcare and the Food Supply in the Same Month

Breach #150. In May-June 2021, ransomware struck two critical infrastructure sectors simultaneously. On 14 May, Conti ransomware devastated Ireland's Health Service Executive (HSE), forcing hospitals to cancel thousands of appointments, revert to paper records, and delay cancer treatments — with full recovery taking over four months and costing an estimated €100 million. On 30 May, REvil ransomware hit JBS — the world's largest meat processing company — forcing closure of plants in the US, Canada, and Australia, and triggering fears of food supply disruption. JBS paid $11 million in ransom. Two critical sectors. Two weeks apart. The ransomware epidemic against essential services had reached crisis proportions.

ransomware irish-hse
15 min read
Anatomy of a Breach 28 February 2026

Anatomy of a Breach: BridgePay and University of Mississippi Medical Center — Payment Systems and Patient Care Both Disrupted by Ransomware

Breach #206. February 2026 saw ransomware disrupt two critical services. BridgePay — a payments platform serving city governments and municipalities — was hit by ransomware that disrupted payment processing for local government customers across the US, with systems not fully restored until 28 February. The University of Mississippi Medical Center was forced to close clinics after ransomware disabled IT systems and electronic health records, requiring clinicians to revert to manual downtime procedures for patient care. The clinics reopened on 2 March. Both incidents demonstrated that ransomware continues to target the systems that people depend on most — government payments and healthcare.

bridgepay ransomware
13 min read
Anatomy of a Breach 30 September 2025

Anatomy of a Breach: Jaguar Land Rover — Manufacturing Halted, Staff Sent Home, and Revenue Hit by Ransomware

Breach #201. In September 2025, UK car manufacturer Jaguar Land Rover (JLR) was hit by a cyber attack that severely disrupted production at its Halewood plant in Merseyside, forcing staff to stay home while the company responded. The incident, reportedly claimed by a group calling itself Scattered Lapsus$ Hunters, prevented car dealers from registering new JLR vehicles — during one of the busiest periods for new car registrations in the UK. JLR subsequently revealed that the attack had a significant financial impact on its revenue. The M&S and JLR attacks together constituted the most damaging year for UK corporate cybersecurity on record.

jaguar-land-rover jlr
13 min read
All Posts Get in Touch