Conti ransomware attack on the Government of Costa Rica

On 17 April 2022, the Conti ransomware operation deployed its encryptor across the Costa Rican Ministry of Finance, paralysing tax collection and customs processing for the country. Over the following weeks, the attack spread to 27 government institutions in total. On 8 May 2022, newly inaugurated President Rodrigo Chaves declared a national emergency — the first such state of emergency in any country in response to a cyber incident.

The Costa Rica attack is widely interpreted as Conti's reputational closing play before its operational retirement. It is also the most-cited reference case for ransomware-as-state-coercion outside of the explicitly nation-state operations.

What happened

The intrusion began with stolen VPN credentials for the Costa Rican Ministry of Finance. The credentials lacked multi-factor authentication. Conti operators:

• Entered via the VPN on or around 11 April 2022.
• Spent six days establishing persistence, harvesting credentials, and mapping the Ministry's environment.
• On 17 April, detonated ransomware across critical Ministry systems.

Tax collection, customs processing, and treasury operations halted simultaneously. Costa Rica's customs at the country's largest port — through which the bulk of its exports flow — could not process paperwork, halting export shipments.

Over the following month, Conti pivoted from the Ministry of Finance to 26 additional government institutions, including:

• CCSS (Caja Costarricense de Seguro Social) — the national social security and healthcare system
• Ministry of Science, Innovation, Technology and Telecommunications
• Costa Rican Institute of Meteorology (national weather service)
• Ministry of Labour and Social Security
• Multiple municipal governments

The national emergency

On 8 May 2022, President Chaves — just one day into his term — declared a national emergency citing the cyberattack. The declaration:

• Provided legal authority for emergency response procurement.
• Authorised the use of military-procurement contracts for technology and incident-response services.
• Was the first state of emergency in any country in response to a cyber incident.

The declaration was also a political message: Costa Rica positioned itself as a victim of state-aligned cybercrime requiring international solidarity.

The "overthrow" rhetoric

Conti's communications escalated unusually in the days after the emergency declaration. On 11 May, the operation publicly:

• Raised the ransom demand to $20 million.
• Threatened further attacks against Costa Rican infrastructure.
• Suggested in posts to its leak site that the operation could "overthrow" the Costa Rican government via continued attacks.

The rhetoric was unprecedented for a ransomware operation — overtly political rather than transactional. The Costa Rican government's response was to publicly refuse to pay and engage international cyber-assistance from the U.S., Spain, and Israel.

Why Conti retired

On 19 May 2022, just over a month after the initial Ministry of Finance attack, Conti formally announced its shutdown. The operation's infrastructure went offline; the leak site stopped publishing new victims.

The closing-curtain interpretation is widely accepted in the threat-intel community:

• The Conti Leaks of February 2022 had exposed 170,000 internal Jabber messages, source code, and operational documents, with Vitaly Kovalev ("Stern") identified as the CEO-equivalent.
• The Conti brand was reputationally compromised to the point where most affiliates were already migrating to other operations.
• The Costa Rica attack functioned as a final, high-visibility operation — possibly to satisfy outstanding affiliate revenue commitments, possibly as a parting reputational statement, possibly to provide cover for the dispersion of Conti personnel into successor operations (Black Basta, BlackCat/ALPHV, Hive, Royal).

The successor operations — particularly Black Basta — are widely understood to be operationally continuous with Conti, sharing engineering and management lineage even as the brand changed.

Impact

• 27 Costa Rican government institutions affected.
• Tax collection and customs disrupted for weeks; full operational recovery took approximately six months.
• Estimated direct cost to Costa Rica: ~$130M including remediation, lost revenue, and emergency procurement.
• CCSS subsequently attacked again by Hive (a Conti spinoff) on 31 May 2022, demonstrating the operational continuity of personnel even after the Conti brand retirement.

Why it matters

Conti / Costa Rica is the canonical case for ransomware-as-state-coercion against a national government. It established:

• That smaller-state government infrastructure is operationally targetable by criminal ransomware operations, with the political consequences proportionally larger than for larger states.
• That a national state of emergency is a viable legal-political response to a major cyber incident — providing procurement authority and political messaging in a single instrument.
• That rhetorical escalation ("overthrow") from a ransomware operation crosses an implicit line that the broader criminal community considered problematic. The Conti retirement immediately following Costa Rica is widely understood as partly a reaction to the political heat the rhetoric attracted.
• That brand retirement does not mean operational retirement. The same personnel, tooling, and tactics reappeared under new brands within weeks. The framework of analyzing "ransomware operations" rather than "ransomware brands" became the threat-intel community's response to Conti / successor continuity.