Within just a few weeks, a group of cyber criminals managed to throw Costa Rica into disarray.
In April, hackers took over the computer system of the country's finance ministry, demanding millions in ransom to return access. But authorities refused to pay. In the weeks that followed, the criminals retaliated by crippling the systems of nearly 30 other government agencies.
People across the Central American country felt the consequences: Tax systems froze. Workers were paid late. Goods for export, including perishable items like fruit, were stuck in customs.
By early May, the situation had become so bad that Costa Rica's newly elected president declared a national emergency. It marked the first time a country had taken that step in response to a cyber incident.
Shortly after taking office, Costa Rica's President Rodrigo Chaves declared a national emergency on May 12, 2022 Deutsche Welle
Since then, authorities have managed to restore many of their services. But four months after the first strike, not all the damage caused by the attack has been fixed.
"This is an eye-opening moment for how vulnerable we are to cyber attacks — not just our government or our companies, but our entire society," said Diego Gonzalez, head of the cybersecurity chapter at Costa Rica's Chamber of Information and Communication Technologies.
From Latin America to Africa and South Asia
The case is a stark illustration of what cybersecurity researchers and industry professionals describe as a worrying trend: Cyber criminals are increasingly targeting government agencies and public institutions in mid-income and developing countries in the Global South, they told DW in a series of seven interviews.
This month, hackers brought down the court system of the Argentinian city of Cordoba. Last month, attackers knocked out a flood monitoring system in the Indian state of Goa. Earlier this year, an attack caused outages at the central bank of Zambia.
In the summer of 2021, a cyber attack on rail and port company Transnet caused chaos at the port of Durban, South Africa's key entry point for goods Deutsche Welle
"There is no doubt that the number of ransomware victims in the Global South is on the rise," said Anna Chung, a threat intelligence researcher at cybersecurity company Palo Alto Networks, pointing to a recent spike in ransomware attacks in Latin America.
Other researchers echoed her warning for regions in Asia and Africa.
Allan Liska, a cyberintelligence analyst at cybersecurity firm Recorded Future, said his company was observing an uptick of attacks across southern Asia, adding that "targets tend to be government agencies and larger organizations."
The same is true for many countries in Africa, said Joey Jansen van Vuuren, head of computer science at Tshwane University of Technology in Johannesburg, South Africa.
"Across Africa, ransomware has become the cybercrime with the biggest impact on governments and businesses," she said.
The tip of the iceberg
Ransomware attacks often follow a similar playbook: First, intruders gain access to a computer network. Inside, they spend weeks or even months snooping around. Once they find data that seems valuable enough that people would pay money to get it back, they encrypt the files and send a ransom note with their demands.
Victims are left with two options: Refuse and try to restore their systems with backups — or pay and hope that the criminals will keep their word and return the data.
Cases in which victims publicly refuse to pay, like in Costa Rica, tend to make headlines.
But those are only the tip of the iceberg, experts caution. Most cases in which victims end up paying remain unreported, they say — and in some areas of the Global South, that has become common practice.
"Today, organizations often already accept this as a given — they are even making budgetary allocations because they expect that they will likely have to pay a ransom at some point," said Charlette Donalds, a lecturer at the University of the West Indies at Mona in Kingston, Jamaica, and the author of a book on cybercrime in the Global South.
Many ransomware attacks remain unreported Deutsche Welle
Across the Caribbean, ransomware attacks are on the rise, Donalds said. Several tax authorities in the region, for instance, have had their systems compromised by attackers, according to the trade organization Caribbean Council.
Her co-author Corlane Barclay added that attackers often find easy targets. "For a long time, governments here thought that because we are small and the threat actors are international, they will focus on more lucrative victims," she said.
That is why many governments and institutions, as they digitized their services, invested little in cybersecurity measures, she added.
Recorded Future's Allan Liska said that his company observed the same phenomenon across the Global South. He called it one of the reasons criminals zero in on the regions.
"The attackers know that they can find systems that are relatively easy to penetrate," he said.
The canary in the coal mine
So how can countries in the Global South better protect themselves against ransomware attacks?
Researchers agree that governments need to ramp up cybersecurity measures and invest in training a new generation of professionals. Countries with no existing cybersecurity legislation should pass laws to force companies and public institutions to protect their systems from cyberattacks.
Governments should also push for more international cooperation, they added, pointing to a new "counter ransomware initiative" launched by the US government last fall. Seven out of 30 countries included in the initiative are located in the Global South.
And they stressed that governments need to raise awareness of cybersecurity among their populations — because the threat of ransomware is here to stay.
Once again, that was illustrated by events in Costa Rica.
One month after the country declared a national emergency, another group of cybercriminals managed to take over the IT system of Costa Rica's main public health organization. It led to thousands of patients missing medical appointments.
A ransomware attack affected some 1,200 hospitals and clinics across Costa Rica Deutsche Welle
"That was when people realized that those attacks can affect our families, our children," cybersecurity entrepreneur Diego Gonzalez said. He hopes that this recent experience will prompt political decision-makers to boost long-term investment in cybersecurity.
But he is also convinced that what happened in his home country could soon happen again elsewhere.
"We live in the age of cyber attacks," Gonzalez said, "this is only the beginning."