Full Report
A recent ransomware attack on RECOPE, Costa Rica's state-run energy company, was the first real-world test for FALCON, a new State Department program for foreign incident response, a top diplomat tells Recorded Future News.
Analysis Summary
# Incident Report: Ransomware Attack on Costa Rican Oil Refinery (RECOPE)
## Executive Summary
The state-run Costa Rican oil refinery (RECOPE) suffered a significant ransomware attack just before Thanksgiving, attributed to the RansomHub group. The incident triggered the inaugural use of the U.S. State Department's rapid response tool, FALCON, which provided swift on-the-ground and virtual support within 36 hours to contain the threat, remediate systems, and restore operations. While the refinery's operations were impacted for several days, the government's policy against paying ransoms was upheld, and the system was secured through international collaboration.
## Incident Details
- **Discovery Date:** The day before Thanksgiving (date not explicitly stated).
- **Incident Date:** Attack occurred prior to discovery; dwell time was "several months."
- **Affected Organization:** Refinadora Costarricense de Petróleo (RECOPE), Costa Rica’s state-run oil refinery.
- **Sector:** Energy (Oil Refining and Distribution).
- **Geography:** Costa Rica (San Jose).
## Timeline of Events
### Initial Access
- **Date/Time:** Attack began months prior to discovery.
- **Vector:** Phishing email.
- **Details:** Attackers (RansomHub) gained access via a phishing email and dwelled in the network for "several months."
### Lateral Movement
- **Details:** Attacker maintained access and moved within the network over several months prior to deployment of ransomware. (Specific techniques unknown/not detailed).
### Data Exfiltration/Impact
- **Details:** Ransomware was deployed, locking administrative systems. RansomHub demanded $5 million for data access/release. The refinery's operations were impacted for "days," causing manual processing of payment systems and fuel distribution backups.
### Detection & Response
- **Date/Time:** Attack discovered the day before Thanksgiving. U.S. support team "hands-on keyboards" by Thanksgiving afternoon. Support lasted roughly 10 days on-site, followed by online support through mid-December.
- **Response actions taken:** Costa Rican Ministry of Science, Innovation, Technology and Telecommunications (MICITT) deployed internal experts and requested U.S. assistance via the FALCON mechanism. The U.S. provided immediate virtual support, emergency software, and deployed a physical team within 36 hours.
## Attack Methodology
- **Initial Access:** Phishing email.
- **Persistence:** Dwell time spanning "several months."
- **Privilege Escalation:** Not detailed, though necessary to deploy ransomware across administrative systems.
- **Defense Evasion:** Not detailed, but successful for several months.
- **Credential Access:** Not detailed.
- **Discovery:** Not detailed.
- **Lateral Movement:** Not detailed.
- **Collection:** Data theft occurred; RansomHub threatened to sell locked data.
- **Exfiltration:** Threatened sale of locked data on the dark web.
- **Impact:** Administrative system outage leading to operational disruption (manual payment processes, fuel backup).
## Impact Assessment
- **Financial:** The total cost of the FALCON response was around $500,000 (a fraction of the $10 million fund). The attackers demanded $5 million.
- **Data Breach:** Data was exfiltrated or locked; the government refused to pay the ransom.
- **Operational:** Operations impacted for "days," with manual processing of payment systems causing backups at gas stations.
- **Reputational:** Public sense of "emergency" due to the attack on a state-owned entity.
## Indicators of Compromise
- **Network indicators:** Not specified by the ambassador.
- **File indicators:** Ransomware deployed, believed to be RansomHub variant.
- **Behavioral indicators:** Long-term (months) dwelling activity preceding payload execution.
## Response Actions
- **Containment measures:** The FALCON team worked to "oust the ransomware actor from its systems."
- **Eradication steps:** Detailed remediation alongside Costa Rican counterparts over approximately 10 days.
- **Recovery actions:** Data restored from backups; systems hardened against future attacks.
## Lessons Learned
- The U.S. FALCON mechanism proved effective, delivering rapid, decisive support (boots on the ground within 36 hours).
- Costa Rica's strategy of maintaining crucial data backups allowed for quicker recovery despite operational disruption.
- Governments should maintain a firm policy against paying ransoms ($5 million demanded, not paid).
## Recommendations
- Continue investment in robust phishing training programs, given this was the initial access vector.
- Further strengthen data backup strategies, ensuring critical business functions can operate manually during system outages.
- Leverage international rapid response frameworks like FALCON for swift, expert assistance during major incidents.