Η State Bank, one of the three largest banks in Chile, announced yesterday through Twitter that it was forced to close all its branches because it was ransomware attacked at the weekend. No details have been released at this time about the attack on the Chile-based bank, however, according to an inside source. network of the bank became infected with REvil (Sodinokibi) ransomware.
The infection appears to have come from a malicious document Office received and opened by a bank employee. The malicious Office file is believed to be installed backdoor in the bank network. Researchers reported that on the night between Friday and Saturday, the hackers used this backdoor to get access in the bank network and install ransomware.
Bank employees working in shifts over the weekend found that it took place hacking attack on Saturday that they could not access their work files.
BancoEstado reported the incident to Chilean police and the same day, the country's government issued a public statement warning on a private sector ransomware campaign. While initially the bank hoped to recover from the attack, the damage was extensive, as ransomware encrypted the majority of servers and employee workstations. The bank revealed the attack on Sunday, but then its employees realized that the employees could not work on Monday and so they decided to keep the branches closed, during the recovery process.
The good news is that the bank has properly segmented its internal network, which has limited what hackers could encrypt. The bank site, the banking portal, mobile applications and ATM were not affected, according to updates issued by the bank, to assure its customers that their money is safe.
The REVIL ransomware gang is one of the few groups operating a leak site, in which it leaks archives from the networks it violates, in case the victim does not want to pay a ransom. So far, BancoEstado's name is not on the leak site, indicating that the bank has either paid the ransom demanded or is still negotiating with the hackers.
This is the second time that hackers have targeted a bank in Chile. In June 2018, North Korean hackers developed disk-wipping malware in the Banco de Chile network, while trying to hide a banking hack. A year later, they also breached Redbanc, the company that connects the ATM infrastructure of all banks in Chile, as part of an ATM cash-out operation.