Major Costa Rican Energy Provider Hit with Ransomware Attack

Costa Rica’s state-owned energy provider, RECOPE, suffered a ransomware attack last week, forcing the organization to switch to manual operations and extend working hours to ensure fuel distribution.  

RECOPE, responsible for importing, refining, and distributing fossil fuels nationwide, discovered the attack on Wednesday, which disrupted its digital payment systems. The company reassured citizens there was no fuel shortage, emphasizing sufficient inventories and maintaining regular fuel unloading at docks.

To address the crisis, RECOPE collaborated with the Ministry of Science, Innovation, Technology, and Telecommunications (MICITT) and sought assistance from U.S. cybersecurity experts, who arrived on Thanksgiving.  

While some systems were partially restored, RECOPE continues manual operations to ensure safety. Fuel sales spiked amid public concerns, prompting extended hours throughout the weekend, The Record reports.

The attack follows Costa Rica’s prior experiences with ransomware, notably the 2022 Conti gang attack that paralyzed critical government services. That incident led President Rodrigo Chaves to declare a state of emergency and prompted U.S. support, including $25 million to strengthen Costa Rica’s cyber defenses.  

This latest breach underscores the nation’s ongoing vulnerability to cyberattacks despite recent efforts to enhance its cybersecurity framework. MICITT continues to refute rumors of additional attacks, focusing on recovery and maintaining public confidence.

Takeaway: The ransomware attack on Costa Rica in 2022 marked a significant shift in the threat landscape, as attackers targeted an entire nation’s critical systems, prompting a state of emergency.

Ransomware operators are known to refine their techniques on smaller targets before escalating to higher-value systems. The attacks on Costa Rica, including these most recent attacks against RECOPE, may serve as practice runs for more significant disruptions to critical infrastructure in countries like the United States.  

The United States government has intensified its focus on combating ransomware by establishing an international counter-ransomware task force, and there is a significant push to classify some ransomware attacks as a national security threat on the level of terrorism.  

The vulnerabilities exposed in Costa Rica, particularly in its rapidly digitized but under-secured infrastructure, provide valuable lessons for attackers. These trial runs could help cybercriminals fine-tune their tactics, techniques, and procedures (TTPs) for more devastating assaults on sectors such as energy, healthcare, and transportation in the U.S., where the stakes are even higher.

Ransomware, once a mere nuisance, has evolved into a multi-billion-dollar criminal enterprise. Operators now leverage advanced techniques, such as zero-day exploits, ransomware-as-a-service platforms, and Linux-based malware, to disrupt vital sectors.  

The RECOPE attack highlights the growing sophistication of these groups and their capacity to target essential systems. The U.S. must take these incidents as a warning and strengthen both defenses and resilience in its critical infrastructure.  

While robust prevention is necessary, organizations must also prioritize recovery capabilities to mitigate disruptions and maintain operational continuity. Resilience, combined with proactive defense, is key to undermining ransomware’s economic incentives and preventing large-scale crises.

‍

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more and check out the Halcyon Attacks Lookout resource site. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.