‘Hotarus Corp’ Ransomware operators hacked Ecuador’s largest private bank, Banco Pichincha, and the country’s Ministry of Finance.
A cybercrime group called ‘Hotarus Corp’ has breached the Ecuador’s largest private bank, Banco Pichincha, and the local Ministry of Finance (the Ministerio de Economía y Finanzas de Ecuador).
The group claims to have also stolen data from the Banco Pichincha bank and infected a system at Ministry of Finance using for training purposes with PHP-based ransomware.
An alleged member of the @HotarusCorp leaked on a hacking forum a link to a file containing 6500 records (Email, Identity Card numbers, and passwords) that claims to Ministry of Finance.
A member claim to be @HotarusCorp on a #leak forum claiming to have #data of Ministry of #Finance of #Ecuador
Member posted a #mega link which has txt file with 6500 records – Email, Identity Card numbers and passwords.#breach #infosec #deepwebnews@FinanzasEc @EcuCERT_EC pic.twitter.com/WTbXz8EYLx
— Security Chronicle (@SecurChronicle) February 23, 2021
The bank published an official statement to confirm the security intrusion.
“We know that there was unauthorized access to the systems of a provider that provides marketing services for the Pichincha Miles program. In relation to this information leak, and based on an extensive investigation, we have found no evidence of damage or access to the Bank’s systems and, therefore, the security of our clients’ financial resources is not compromised.” reads the statement. “We know that, through a fraudulent email, the attacker sends communications on behalf of Banco Pichincha to some clients of said program in order to obtain information necessary to carry out illegitimate transactions. We remind our clients that we never request sensitive data such as: users, passwords, card or account data, via telephone, email, social networks or text messages.”
Security researcher Germán Fernández confirmed the compromise of the Equador’s Ministry of Finance via Twitter.
Leaked Hotarus Corp #Ransomware Tool 🤫🥷
Source: https://t.co/GTPJJRarIM
Rein Xceed (2020) [Modificada]
extensión .reinxceed
MCRYPT_RIJNDAEL_128
"Tienes que pagar 250 Dolares Americanos en BITCOINS"
bc1q5nm4u4wwc3gqdl73an6xhcjw4c4gud6m244zneAgregada al arsenal 👌 #DataLeak https://t.co/tBnW5QSgDX pic.twitter.com/56lLFTa6WB
— Germán Fernández 🇨🇱 (@1ZRR4H) February 26, 2021
Fernandez revealed that the PHP ransomware employed in the attack is Ronggolawe/AwesomeWare.
Análisis del "Ransomware" en PHP -> https://t.co/kk98KJsm6o
Código fuente de Ronggolawe / AwesomeWare -> https://t.co/FaSaqLh4ru
Otro sitio comprometido por Hotarus Corp -> /offerschocados.com.ec/hc.php
Google Dork para + sitios vulnerados ->
"This is a notice of ransomware."— Germán Fernández 🇨🇱 (@1ZRR4H) February 24, 2021
The bank has confirmed the attack in an official statement but states that it was a hacked marketing partner and not their internal systems.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, Ecuador)
Share On
Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at “Cyber Defense Magazine”, Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog “Security Affairs” recently named a Top National Security Resource for US. Pierluigi is a member of the “The Hacker News” team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books “The Deep Dark Web” and “Digital Virtual Currency and Bitcoin”.
‘Hotarus Corp’ Ransomware operators hacked Ecuador’s largest private bank, Banco Pichincha, and the country’s Ministry of Finance.
A cybercrime group called ‘Hotarus Corp’ has breached the Ecuador’s largest private bank, Banco Pichincha, and the local Ministry of Finance (the Ministerio de Economía y Finanzas de Ecuador).
The group claims to have also stolen data from the Banco Pichincha bank and infected a system at Ministry of Finance using for training purposes with PHP-based ransomware.
An alleged member of the @HotarusCorp leaked on a hacking forum a link to a file containing 6500 records (Email, Identity Card numbers, and passwords) that claims to Ministry of Finance.
A member claim to be @HotarusCorp on a #leak forum claiming to have #data of Ministry of #Finance of #Ecuador
Member posted a #mega link which has txt file with 6500 records – Email, Identity Card numbers and passwords.#breach #infosec #deepwebnews@FinanzasEc @EcuCERT_EC pic.twitter.com/WTbXz8EYLx
— Security Chronicle (@SecurChronicle) February 23, 2021
The bank published an official statement to confirm the security intrusion.
“We know that there was unauthorized access to the systems of a provider that provides marketing services for the Pichincha Miles program. In relation to this information leak, and based on an extensive investigation, we have found no evidence of damage or access to the Bank’s systems and, therefore, the security of our clients’ financial resources is not compromised.” reads the statement. “We know that, through a fraudulent email, the attacker sends communications on behalf of Banco Pichincha to some clients of said program in order to obtain information necessary to carry out illegitimate transactions. We remind our clients that we never request sensitive data such as: users, passwords, card or account data, via telephone, email, social networks or text messages.”
Security researcher Germán Fernández confirmed the compromise of the Equador’s Ministry of Finance via Twitter.
Leaked Hotarus Corp #Ransomware Tool 🤫🥷
Source: https://t.co/GTPJJRarIM
Rein Xceed (2020) [Modificada]
extensión .reinxceed
MCRYPT_RIJNDAEL_128
"Tienes que pagar 250 Dolares Americanos en BITCOINS"
bc1q5nm4u4wwc3gqdl73an6xhcjw4c4gud6m244zneAgregada al arsenal 👌 #DataLeak https://t.co/tBnW5QSgDX pic.twitter.com/56lLFTa6WB
— Germán Fernández 🇨🇱 (@1ZRR4H) February 26, 2021
Fernandez revealed that the PHP ransomware employed in the attack is Ronggolawe/AwesomeWare.
Análisis del "Ransomware" en PHP -> https://t.co/kk98KJsm6o
Código fuente de Ronggolawe / AwesomeWare -> https://t.co/FaSaqLh4ru
Otro sitio comprometido por Hotarus Corp -> /offerschocados.com.ec/hc.php
Google Dork para + sitios vulnerados ->
"This is a notice of ransomware."— Germán Fernández 🇨🇱 (@1ZRR4H) February 24, 2021
The bank has confirmed the attack in an official statement but states that it was a hacked marketing partner and not their internal systems.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, Ecuador)