Ransomware gang hacks Ecuador's largest private bank, Ministry of Finance

​A hacking group called 'Hotarus Corp' has hacked Ecuador's Ministry of Finance and the country's largest bank, Banco Pichincha, where they claim to have stolen internal data.

The ransomware gang first targeted Ecuador's Ministry of Finance, the Ministerio de Economía y Finanzas de Ecuador, where they deployed a PHP-based ransomware strain to encrypt a site hosting an online course.

 Security researcher Germán Fernández told BleepingComputer that the threat actors are using a commodity PHP ransomware called Ronggolawe (or AwesomeWare) to encrypt the site's contents.

Soon after the attack, the threat actors released a text file containing 6,632 login names and hashed password combinations on a hacker forum.

The ransomware gang told BleepingComputer that they have stolen "sensitive ministry information, emails, employee information, contracts."

Targeted Banco Pichincha next

After the Ministry of Finance attack, Hotarus Corp hacked Ecuador's largest private bank, Banco Pichincha.

The bank has confirmed the attack in an official statement but states that it was a hacked marketing partner and not their internal systems.

Banco Pichincha goes on to say that the attackers used the compromised platform to send phishing emails to customers to attempt to steal sensitive information to carry out "illegitimate transactions."

The bank's full translated statement can be read below.

"We are committed to protecting the privacy of our customers' data. We know that there was unauthorized access to the systems of a provider that provides marketing services for the Pichincha Miles program. In relation to this information leak, and based on an extensive investigation, we have found no evidence of damage or access to the Bank's systems and, therefore, the security of our clients' financial resources is not compromised.

We know that, through a fraudulent email, the attacker sends communications on behalf of Banco Pichincha to some clients of said program in order to obtain information necessary to carry out illegitimate transactions. We remind our clients that we never request sensitive data such as: users, passwords, card or account data, through the phone, email, social networks or text messages.

We are taking measures to prevent and mitigate these types of situations related to the handling of data by our providers. We understand and share the concerns of the people whose information has been exposed, and we ratify our commitment to their security." - Banco Pichincha

In an interview with BleepingComputer, the hacking group disputes the bank's statement and says they used the marketing company's attack as a launchpad into the bank's internal systems. They then stole data and deployed ransomware to encrypt devices.

"Look at the attack on the bank, initially on a company that develops web applications and marketing to the bank, after analyzing codes and data it gave us the opportunity to access the bank's internal systems, it was where we used a ransomware, extracting all the possible information."

"Once inside we found vulnerabilities in their applications exploits in ftp and rdp ports which helped us to escalate privileges," the threat actors told BleepingComputer.

Through this attack, the hacking group claims to have stolen "31,636,026 Million customer records & 58,456 Sensitive system records," including credit card numbers.

As proof of their attack, the hacking group shared various images of the allegedly stolen data, including the following folder of files.

BleepingComputer has not been able to verify the threat actors' claims of stealing data from the Ministry of Finance or Banco Pichincha.

In it for the money

The threat actors have told BleepingComputer that they are performing these attacks solely for the money.

They state that they are not currently selling the data stolen from the Ministry of Finance but are in the process of selling credit cards they claim to have stolen from Banco Pichincha.

"Currently only the bank information is for sale, we have already sold about 37 thousand credit cards to a group dedicated to this, the information will be auctioned or sold initially for 250,000," a Hotarus Corp operator told BleepingComputer.

We have reached out to Ecuador's Ministry of Finance and Banco Pichincha to learn more about the attacks but have not heard back at this time.