Ransomware Attack on Costa Rica Refinery Tests New US Response Program

A ransomware attack on Costa Rica’s largest oil refinery, RECOPE, in November 2024, became the inaugural test of the U.S. State Department's Foreign Assistance Leveraged for Cybersecurity Operational Needs (FALCON) program, The Record reports.  

The initiative is designed to provide rapid cyber incident response to U.S. allies. Ambassador-at-Large for Cyberspace and Digital Policy, Nate Fick, highlighted FALCON’s swift deployment, stating, “Our goal was to provide swift and decisive support, and we delivered.”

The attack, attributed to the ransomware gang RansomHub, began with a phishing email that allowed access to RECOPE's systems months prior. The attackers demanded $5 million to unlock the systems, but Costa Rica’s government adhered to its strict policy against paying ransomware demands.  

The breach significantly disrupted operations, causing delays in fuel distribution and public anxiety reminiscent of the 2021 Colonial Pipeline attack in the U.S. Officials assured citizens that reserves were sufficient, and systems were under remediation.

Costa Rica’s Ministry of Science, Innovation, Technology, and Telecommunications (MICITT) quickly requested assistance from the U.S., which responded within hours. A team, comprising State Department personnel and private contractors, arrived in San José on Thanksgiving.  

The FALCON group spent ten days assisting with system restoration, data recovery, and bolstering defenses, with virtual support continuing into December. The operation costs approximately $500,000, a fraction of FALCON’s $10 million budget.

MICITT head Paula Bogantes Zamora praised the U.S. response, saying their forensic expertise “helped us tremendously in identifying what kind of attack” occurred. She confirmed the collaboration has made Costa Rica a model for regional cybersecurity partnerships. The attack also prompted interest from other Latin American nations in strengthening their cyber defenses.

Fick emphasized FALCON's unique value: “A number of U.S. government and military entities can send a team abroad to investigate a cyber incident, but they cannot fix what they find. This is what makes our program stand out.” Both countries view FALCON’s debut as a success story and a template for future digital foreign assistance.

Takeaway: The ransomware attack on Costa Rica in 2022, followed by the recent attack on the state-owned oil refinery RECOPE in 2024, underscores a troubling escalation in the cyber threat landscape, with attackers targeting critical national infrastructure.

These incidents highlight a shift from isolated targets to entire systems that underpin a nation’s economy and stability.

Ransomware operators often refine their tactics on smaller, less-secured systems before escalating to high-value targets. The repeated targeting of Costa Rica, including RECOPE, illustrates how such attacks can serve as testing grounds for malicious actors to develop strategies for more significant disruptions.  

Given the strategic importance of energy, healthcare, and transportation sectors, these attacks offer a sobering preview of potential threats to critical infrastructure in countries like the United States.

The U.S. has recognized the evolving threat posed by ransomware, classifying some attacks as national security threats on par with terrorism. The establishment of programs like FALCON and an international counter-ransomware task force reflects an intensified effort to combat the growing menace.  

Ambassador Fick, commenting on FALCON’s deployment in Costa Rica, emphasized the importance of rapid, decisive support during such crises: “This is digital solidarity in action.”

Costa Rica’s vulnerabilities, particularly in its digitized yet under-secured infrastructure, provide valuable lessons for both defenders and attackers. Cybercriminals, like the RansomHub gang responsible for the RECOPE breach, leverage such incidents to refine tactics, techniques, and procedures (TTPs).  

These attacks highlight the need for robust prevention, resilience, and recovery strategies. Costa Rica’s response, aided by the U.S., demonstrated the importance of collaboration and preparation in mitigating disruptions.  

However, as ransomware evolves into a multi-billion-dollar criminal enterprise, advanced defenses and international cooperation will be vital to protecting essential systems.

Ultimately, resilience—through proactive defense, rapid incident response, and robust recovery capabilities—remains the key to undermining ransomware’s economic incentives and preventing widespread crises.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more and check out the Halcyon Attacks Lookout resource site. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.