CCSS Hive ransomware attack

On 31 May 2022, the Caja Costarricense de Seguro Social (CCSS) — the institution that runs Costa Rica's entire public health system and social-security collection — was struck by the Hive ransomware group. Coming just weeks after the Conti attacks that had already pushed the country into a national state of emergency, the CCSS intrusion turned a financial and administrative crisis into a public-health emergency.

What happened

In the early hours of 31 May, CCSS technicians detected "anomalous information flows" on the network. As a precaution they shut down critical infrastructure, but it was already too late: networked printers across hospitals began spitting out Hive ransom notes and pages of garbled characters, the classic signature of an active encryption event.

Initial reports suggested around 30 servers were hit. Within a day, officials revised that dramatically upward — more than 800 servers and roughly 9,000 end-user computers had been compromised, making the institution's planned one-week recovery impossible.

Impact

The CCSS deliberately took its flagship systems offline to contain the spread, including the Expediente Digital Único en Salud (EDUS) — the unified national electronic health record — and its EDAC backup. With EDUS unavailable, clinicians across the country could not pull up patient histories, prescriptions, or lab results.

Hospitals and clinics reverted to pen-and-paper workflows, with the vast majority of facilities running contingency plans.
The first day alone saw roughly 4,871 missed appointments across some 80 health establishments; thousands more were cancelled over the following days.
Pharmacy dispensing, lab processing, and the SICERE social-security collection system were all disrupted.

On 2 June, Hive demanded approximately $5 million in bitcoin. Consistent with the government's stance during the Conti episode, the CCSS refused to pay and rebuilt from backups.

Attribution

Hive was a prolific ransomware-as-a-service operation with a documented preference for healthcare targets. The group leased its malware to affiliates who carried out intrusions and split the proceeds. Hive's infrastructure was later seized in a coordinated FBI-led international takedown in January 2023, after the Bureau had quietly infiltrated the gang and distributed decryption keys to victims.

Why it matters

The CCSS attack is a textbook example of how ransomware against a single national institution can endanger lives at scale. Unlike the Conti attack, which mainly paralysed tax and customs systems, Hive struck the backbone of a country's healthcare delivery. It hardened Costa Rica's resolve to never pay, accelerated investment in national cyber-defence, and became a reference case for the systemic risk that under-protected public-health IT poses across Latin America.

Timeline

April 17, 2022

An earlier wave of Conti ransomware hits Costa Rica's Finance Ministry and other agencies, prompting a national state of emergency in May.

May 31, 2022

At around 02:00, the CCSS detects anomalous traffic and shuts down critical systems; Hive ransom notes print from networked printers.

June 1, 2022

The CCSS confirms more than 800 servers and around 9,000 workstations were affected, far beyond initial estimates of ~30 servers.

June 2, 2022

The Hive group demands roughly $5 million in bitcoin to restore systems; the CCSS refuses to pay.

June 1, 2022

Hospitals and clinics revert to paper records; tens of thousands of appointments are cancelled while EDUS and EDAC stay offline.

July 1, 2022

The CCSS gradually restores the EDUS digital health record and other systems over the following weeks.

Sources

welivesecurity.comhttps://www.welivesecurity.com/la-es/2022/06/01/ransomware-hive-ataca-ccss-costa-rica/

en.wikipedia.orghttps://en.wikipedia.org/wiki/2022_Costa_Rican_ransomware_attack

qcostarica.comhttps://qcostarica.com/hacking-of-the-ccss-hospitals-cant-turn-on-computers/

delfino.crhttps://delfino.cr/2022/05/hive-ransomware-group-el-grupo-de-cibercriminales-que-ataco-la-ccss-y-tiene-predileccion-por-instituciones-de-salud

Related incidents

RansomwareResolvedDecember 18, 2022

SickKids hospital ransomware attack

Toronto's Hospital for Sick Children was hit by a ransomware attack over the December 2022 holidays that delayed lab and imaging results; in a rare move, the LockBit gang apologized, blamed a rogue affiliate, and released a free decryptor.

Victim: The Hospital for Sick Children (SickKids)

RansomwareResolvedNovember 27, 2022

Keralty / Sanitas RansomHouse ransomware attack

The RansomHouse gang struck Colombian healthcare giant Keralty and its EPS Sanitas and Colsanitas subsidiaries, claiming 3 TB of stolen data and crippling appointment scheduling for a network serving more than 6 million patients.

Victim: Keralty (EPS Sanitas, Colsanitas)

RansomwareContainedNovember 23, 2022

AIIMS Delhi ransomware

Ransomware encrypted the All India Institute of Medical Sciences in New Delhi — India's most prestigious public hospital — taking patient registration and clinical records offline for two weeks during peak winter patient load.

Victim: All India Institute of Medical Sciences (AIIMS) New Delhi
Loss: $15.0M

RansomwareContainedOctober 13, 2022

Medibank ransomware (REvil-affiliated)

Russian-speaking attackers exfiltrated full health-claim records on 9.7 million current and former Medibank customers, then released them in tranches on the dark web after the Australian insurer refused to pay.

Victim: Medibank Private
Loss: $250.0M
Records: 9.7M