RECOPE RansomHub ransomware attack
RansomHub ransomware forced Costa Rica's state oil refiner RECOPE to switch its entire fuel-distribution network to manual operations, triggering the first real-world deployment of the U.S. State Department's FALCON cyber-response program.
- Victim
- Refinadora Costarricense de Petróleo (RECOPE)
On 27 November 2024, the eve of U.S. Thanksgiving, Costa Rica's state-owned oil refiner and fuel distributor RECOPE (Refinadora Costarricense de Petróleo) was hit by RansomHub ransomware. The attack knocked out the digital systems that handle fuel sales and payments, forcing the company to run the nation's fuel supply by hand.
What happened
Investigators determined the intrusion began with a phishing email that gave attackers an initial foothold. They then dwelled on RECOPE's network for several months before detonating the ransomware, encrypting the systems that control payment processing and fuel-dispatch logistics.
With its digital backbone down, RECOPE shifted to entirely manual operations. Terminal staff extended working hours late into the night to keep tanker trucks moving — roughly 203 fuel trucks were filled during the initial response window — but the manual workflow slowed deliveries and caused fuel-supply delays at filling stations nationwide.
The U.S. FALCON response
The RECOPE incident became the first operational deployment of the U.S. State Department's new FALCON program — Foreign Assistance Leveraged for Cybersecurity Operational Needs. Designed to surge expert responders to allied nations facing major cyberattacks, FALCON had personnel on the ground in San José within about 36 hours, arriving on Thanksgiving afternoon.
The team helped RECOPE investigate the breach, evict the ransomware actor, restore data from backups, bring systems back online, and harden them against future attacks. They worked on-site for roughly 10 days, followed by remote support through mid-December. The operation drew about $500,000 from FALCON's roughly $10 million budget.
Attribution and demand
RansomHub — at the time one of the most prolific ransomware-as-a-service brands — claimed responsibility, demanding around $5 million and threatening to auction the stolen data on the dark web. Consistent with Costa Rica's hard line since the 2022 Conti and Hive attacks, the government refused to pay.
Why it matters
RECOPE underscored that energy and fuel logistics are prime ransomware targets: even when refining itself continues, losing the payment and dispatch IT layer can choke a country's fuel distribution. It also marked a turning point in international cyber assistance — FALCON's debut showed how the U.S. could rapidly project incident-response capacity to a partner nation in crisis, a model shaped directly by Costa Rica's earlier ordeal as the repeated victim of state-tolerated ransomware crews.
Timeline
Attackers gain initial access to RECOPE via a phishing email and dwell on the network for several months.
On the eve of U.S. Thanksgiving, ransomware is deployed and RECOPE's digital systems for fuel sales and payments are taken down.
RECOPE switches to fully manual fuel distribution; the U.S. FALCON response team arrives on-site within roughly 36 hours.
RansomHub claims responsibility and demands about $5 million, threatening to sell the stolen data; Costa Rica refuses to pay.
The FALCON team works on-site for around 10 days, restoring systems from backups and hardening them, then continues remote support through mid-December.
Sources
- therecord.mediahttps://therecord.media/costa-rica-state-energy-company-ransomware
- therecord.mediahttps://therecord.media/state-department-falcon-cyber-response-costa-rica-recope
- icsstrive.comhttps://icsstrive.com/incident/costa-rica-recope-switches-to-manual-operations/
- ticotimes.nethttps://ticotimes.net/2024/11/29/major-cyberattack-disrupts-costa-rica-recope-digital-systems