[BreachExchange] Chilean bank shuts down all branches following ransomware attack
Destry Winant
destry at riskbasedsecurity.com
Wed Sep 9 10:13:58 EDT 2020
https://www.zdnet.com/article/chilean-bank-shuts-down-all-branches-following-ransomware-attack/
BancoEstado, one of Chile's three biggest banks, was forced to shut
down all branches on Monday following a ransomware attack that took
place over the weekend.
"Our branches will not be operational and will remain closed today,"
the bank said in a statement published on its Twitter account on
Monday.
Details about the attack have not been made public, but a source close
to the investigation told ZDNet that the bank's internal network was
infected with the REvil (Sodinokibi) ransomware.
The incident is currently being investigated as having originated from
a malicious Office document received and opened by an employee. The
malicious Office file is believed to have installed a backdoor on the
bank's network.
Investigators believe that on the night between Friday and Saturday,
hackers used this backdoor to access the bank's network and install
ransomware.
Bank employees working weekend shifts discovered the attack when they
couldn't access their work files on Saturday.
BancoEstado reported the incident to Chilean police, and on the same
day, the Chilean government sent out a nationwide cyber-security alert
warning about a ransomware campaign targeting the private sector.
While initially, the bank hoped to recover from the attack unnoticed,
the damage was extensive, according to sources, with the ransomware
encrypting the vast majority of internal servers and employee
workstations.
The bank initially disclosed the attack on Sunday, but as time went
by, bank officials realized employees wouldn't be able to work on
Monday, and decided to keep branches closed, while they recover.
Luckily, it appears the bank had done its job and properly segmented
its internal network, which limited what the hackers could encrypt.
The bank's website, banking portal, mobile apps, and ATMs were
untouched, according to multiple statements released by the bank, in
order to reassure customers that their funds were safe.
The REvil ransomware gang is one of the few groups that operate a leak
site, where it leaks files from networks it breaches, in case the
victim doesn't want to pay. At the time of writing, BancoEstado's name
is not on the leak site, suggesting the bank has either paid the
ransom demand or is still negotiating with the hackers.
This marks the second time hackers have targeted a Chilean bank. In
June 2018, North Korean hackers deployed disk-wiping malware on the
network of Banco de Chile, while attempting to hide a bank hack. A
year later they also breached Redbanc, the company that interconnects
the ATM infrastructure of all Chilean banks, during an attempt to
orchestrate an ATM cash-out scheme.
More information about the BreachExchange
mailing list