[BreachExchange] Ransomware gang hacks Ecuador's largest private bank, Ministry of Finance

[Destry Winant]

https://www.bleepingcomputer.com/news/security/ransomware-gang-hacks-ecuadors-largest-private-bank-ministry-of-finance/

A hacking group called 'Hotarus Corp' has hacked Ecuador's Ministry of
Finance and the country's largest bank, Banco Pichincha, where they
claim to have stolen internal data.

The ransomware gang first targeted Ecuador's Ministry of Finance, the
Ministerio de Economía y Finanzas de Ecuador, where they deployed a
PHP-based ransomware strain to encrypt a site hosting an online
course.

Ministerio de Economía y Finanzas de Ecuador website

 Security researcher Germán Fernández told BleepingComputer that the
threat actors are using a commodity PHP ransomware called Ronggolawe
(or AwesomeWare) to encrypt the site's contents.

Soon after the attack, the threat actors released a text file
containing 6,632 login names and hashed password combinations on a
hacker forum.

Leaked login info for the Ministry of Finance

The ransomware gang told BleepingComputer that they have stolen
"sensitive ministry information, emails, employee information,
contracts."

Targeted Banco Pichincha next

After the Ministry of Finance attack, Hotarus Corp hacked Ecuador's
largest private bank, Banco Pichincha.

The bank has confirmed the attack in an official statement but states
that it was a hacked marketing partner and not their internal systems.

Banco Pichincha goes on to say that the attackers used the compromised
platform to send phishing emails to customers to attempt to steal
sensitive information to carry out "illegitimate transactions."

The bank's full translated statement can be read below.

"We are committed to protecting the privacy of our customers' data. We
know that there was unauthorized access to the systems of a provider
that provides marketing services for the Pichincha Miles program. In
relation to this information leak, and based on an extensive
investigation, we have found no evidence of damage or access to the
Bank's systems and, therefore, the security of our clients' financial
resources is not compromised.

We know that, through a fraudulent email, the attacker sends
communications on behalf of Banco Pichincha to some clients of said
program in order to obtain information necessary to carry out
illegitimate transactions. We remind our clients that we never request
sensitive data such as: users, passwords, card or account data,
through the phone, email, social networks or text messages.

We are taking measures to prevent and mitigate these types of
situations related to the handling of data by our providers. We
understand and share the concerns of the people whose information has
been exposed, and we ratify our commitment to their security." - Banco
Pichincha

In an interview with BleepingComputer, the hacking group disputes the
bank's statement and says they used the marketing company's attack as
a launchpad into the bank's internal systems. They then stole data and
deployed ransomware to encrypt devices.

"Look at the attack on the bank, initially on a company that develops
web applications and marketing to the bank, after analyzing codes and
data it gave us the opportunity to access the bank's internal systems,
it was where we used a ransomware, extracting all the possible
information."

"Once inside we found vulnerabilities in their applications exploits
in ftp and rdp ports which helped us to escalate privileges," the
threat actors told BleepingComputer.

Through this attack, the hacking group claims to have stolen
"31,636,026 Million customer records & 58,456 Sensitive system
records," including credit card numbers.

As proof of their attack, the hacking group shared various images of
the allegedly stolen data, including the following folder of files.

Allegedly stolen data from Banco Pichincha

BleepingComputer has not been able to verify the threat actors' claims
of stealing data from the Ministry of Finance or Banco Pichincha.

In it for the money

The threat actors have told BleepingComputer that they are performing
these attacks solely for the money.

They state that they are not currently selling the data stolen from
the Ministry of Finance but are in the process of selling credit cards
they claim to have stolen from Banco Pichincha.

"Currently only the bank information is for sale, we have already sold
about 37 thousand credit cards to a group dedicated to this, the
information will be auctioned or sold initially for 250,000," a
Hotarus Corp operator told BleepingComputer.

We have reached out to Ecuador's Ministry of Finance and Banco
Pichincha to learn more about the attacks but have not heard back at
this time.