Cyberattack shuts down Ecuador's largest bank, Banco Pichincha

Ecuador's largest private bank Banco Pichincha has suffered a cyberattack that disrupted operations and taken the ATM and online banking portal offline.

The cyberattack occurred over the weekend, causing the bank to shut down portions of their network to prevent the attack's spread to other systems.

The shut down of systems has led to widespread disruption for the bank, with ATMs no longer working and the online banking portals showing maintenance messages.

In an internal notification sent to the Bank's agencies and seen by BleepingComputer, employees are notified that bank applications, email, digital channels, and self-services will not be operational due to a technology issue.

The internal document further says that self-service customers should be directed to bank teller windows to be served during the outage.

After two days of silence regarding the bank's technical difficulties, Banco Pichincha issued a statement Tuesday afternoon admitting that they suffered a cyberattack that led to the disruption of their systems.

You can read the statement translated to English below:

"In the last few hours, we have identified a cybersecurity incident in our computer systems that have partially disabled our services. We have taken immediate actions such as isolating the systems potentially affected from the rest of our network and have cybersecurity experts to assist in the investigation.

At the moment, our network of agencies, ATMs for cash withdrawals and payments with debit and credit cards are operational.

This technological incident did not affect the financial performance of the bank. We reiterate our commitment to safeguard the interests of our clients and restore normal care through our digital channels in the shortest possible time.

We call for calm to avoid generating congestion and to stay informed through the official channels of Banco Pichincha to avoid the spread of false rumors." - Banco Pichincha.

Today, the online banking portal still shows a maintenance message but customers can now access their online accounts. Unfortunately, the mobile app is still shut down from the attack.

Likely a ransomware attack

At this time, Banco Pichincha has not publicly disclosed the nature of the attack. However, sources in the cybersecurity industry have told BleepingComputer that it is a ransomware attack with threat actors installing a Cobalt Strike beacon on the network.

Ransomware gangs and other threat actors commonly use Cobalt Strike to gain persistence and access to other systems on a network.

In February, Banco Pichincha suffered another cyberattack by cybercriminals known as 'Hotarus Corp' who claimed to have stolen files from the bank's network.

Pichincha disputed the hacker's claims and said that one of their providers was breached instead.

"We know that there was unauthorized access to the systems of a provider that provides marketing services for the Pichincha Miles program," Banco Pichincha said at the time.

"In relation to this information leak, and based on an extensive investigation, we have found no evidence of damage or access to the Bank's systems and, therefore, the security of our clients' financial resources is not compromised."

BleepingComputer has contacted Banco Pichincha with questions regarding the attack and will update the article if we receive a reply.

Update 10/12/21: Added correction that ATMs are now working again.