Hotarus Corp hacking group has hacked Ecuador’s largest bank, Banco Pichincha and Ministry of Finance and claims to have stolen internal data.
The ransomware gang first targeted Ecuador’s Ministry of Finance, the Ministerio de Economía y Finanzas de Ecuador, by deploying a PHP-based ransomware strain to encrypt a site hosting an online course.
The hackers used a commodity PHP ransomware called Ronggolawe (or AwesomeWare) to encrypt the site’s contents. After the attack, they released a text file containing 6,632 login names and hashed password combinations on a hacker forum.
The ransomware gang said that they have stolen “sensitive ministry information, emails, employee information, contracts.”
After the Ministry of Finance attack, the same group hacked the country’s largest private bank, Banco Pichincha.
The bank has officially confirmed the attack but states that a marketing partner was hacked and not their internal systems. They haven’t found any evidence of access to their systems and so the security of their client’s financial resources is not compromised.
The bank claims that the threat actors used the compromised platform to send phishing emails to customers in order to steal sensitive information to conduct “illegitimate transactions.” The bank assures that they are taking measures to prevent and mitigate these types of situations.
However, the hacking group said that they used the marketing company’s attack as a launchpad into the bank’s internal systems. They then stole data and deployed ransomware to encrypt devices.
The hackers claimed to have stolen 31,636,026 Million customer records & 58,456 Sensitive system records, including credit card numbers.
They also shared various images of the allegedly stolen data as proof of attack.
The hackers are carrying out these attacks only for money. They are not planning to sell the data stolen from the Ministry of Finance but are in the process of selling credit cards which they claim to have stolen from Banco Pichincha.
Finance and Banco Pichincha to learn more about the attacks but have not heard back at this time.