{
	"id": "748db265-2cdc-49dc-9829-90d916acb474",
	"created_at": "2026-04-06T01:28:58.879694Z",
	"updated_at": "2026-04-10T03:20:41.877037Z",
	"deleted_at": null,
	"sha1_hash": "08f835dd4d4863545f4b4edfd1ceb35c0e1c2905",
	"title": "First Conti, then Hive: Costa Rica gets hit with ransomware again",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 41060,
	"plain_text": "First Conti, then Hive: Costa Rica gets hit with ransomware again\r\nBy Ofir Ashman\r\nPublished: 2022-06-15 · Archived: 2026-04-06 00:25:05 UTC\r\nIt must suck dealing with a huge ransomware attack during your first week in office... Sadly, that's exactly what\r\nhappened to new Costa Rica president Rodrigo Chaves, who declared last month that his country is \"at war\" with\r\nConti hackers. In mid-April, only a few days after Chavez was chosen to replace previous president Carlos\r\nAlvarado Quesada, 27 Costa Rican government systems and institutions were hit with Conti ransomware,\r\nincluding municipalities and state-run utilities. This disrupted various government systems, including those used\r\nto oversee exports, pay pensions, and collect taxes.\r\nThe blame came quickly, with Chaves claiming that the his predecessor had not invested enough in cybersecurity,\r\nnor had he dealt more aggressively with the attacks during his last days in office. While the Costa Rican\r\ngovernment refused to pay the ransom, the impatient Conti gang started publishing the stolen government\r\ninformation on its website. Some believe that the publications serve not only as a way to entice a ransom payment,\r\nbut as a warning sign for other governments, displaying the heavy price of a Conti attack.\r\nBut just when news of the attack started to fade out, another Russian ransomware group dubbed Hive joined in,\r\nhitting Costa Rica's Social Security system and public health agency. 30 public health system servers were hit with\r\nransomware, Covid-19 test reporting was halted, and computers were shut down to prevent further spread of the\r\nransomware in the network. Some theorize that these two consecutive attacks on the Central American country are\r\nrelated, claiming that Conti group members are involved with Hive, and have separated into smaller groups to\r\nevade law enforcement. This makes sense considering the many sanctions posed as a result of Russia's invasion of\r\nUkraine, alongside the Conti gang's public declaration of support towards the invading country.\r\nIn Cybersecurity: Effective \u003e Expensive\r\nIs investing more money really the key to better attack prevention? Is aggression in dealing with hackers the best\r\nresponse and remediation tactic? Perhaps not. Cyber security should be effective, not expensive. Unfortunately,\r\nmarketing in this sector drives security buyers to believe that only expensive solutions will deliver the efficacy\r\nthey need.\r\nMany security vendors offer feature-packed platforms with shiny interfaces and complex mechanisms that attempt\r\nto discover sophisticated threats once they are inside the network. These reactive \"enterprise\" solutions come with\r\na price tag no one is happy to pay, and are not necessarily the most effective at reducing cyber-risk. For example,\r\nif your security solution blocks threats proactively at the gateway, threats can't cause damage, don't lead to a\r\nbreach, and won't even get detected by the reactive, expensive security controls - because the threat never gets a\r\nchance to enter the network.\r\nOver the past decade of our own research, we've found that most attack methods, infection vectors and threat\r\ninfrastructure are recycled by cyber attackers. Gartner has predicted that over time, \"99% of vulnerabilities\r\nexploited will continue to be the ones known by security and IT professionals for at least one year\". We have seen\r\nhttps://www.threatstop.com/blog/first-conti-then-hive-costa-rica-gets-hit-with-ransomware-again\r\nPage 1 of 2\n\nthousands of IOCs blocked by ThreatSTOP's solutions being reused for various malicious activity over and over\r\nagain. ThreatSTOP protects from known threats and newly registered IOCs, providing our customers with an\r\ninstant 85% reduction in malware infections and help desk tickets. Regardless of the attack type, the vectors, or\r\nthe variant, the IP addresses and domains cyber criminals use to conduct an attack can only harm your network if\r\nyour network is allowed to talk to them. This is where proactive security controls like ThreatSTOP really deliver\r\non reducing risk - automating early mitigation tilts the advantage to network defenders by stopping the huge\r\nvolumes of garden-variety attacks from gaining a foothold in your network, and freeing your skilled people to\r\nfocus on the other 1% of truly challenging threats.\r\nNot a ThreatSTOP customer yet? Want to see ThreatSTOP instantly eliminate attacks on your network?\r\nGet a Demo\r\nSource: https://www.threatstop.com/blog/first-conti-then-hive-costa-rica-gets-hit-with-ransomware-again\r\nhttps://www.threatstop.com/blog/first-conti-then-hive-costa-rica-gets-hit-with-ransomware-again\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.threatstop.com/blog/first-conti-then-hive-costa-rica-gets-hit-with-ransomware-again"
	],
	"report_names": [
		"first-conti-then-hive-costa-rica-gets-hit-with-ransomware-again"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775438938,
	"ts_updated_at": 1775791241,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/08f835dd4d4863545f4b4edfd1ceb35c0e1c2905.pdf",
		"text": "https://archive.orkl.eu/08f835dd4d4863545f4b4edfd1ceb35c0e1c2905.txt",
		"img": "https://archive.orkl.eu/08f835dd4d4863545f4b4edfd1ceb35c0e1c2905.jpg"
	}
}