Chilean bank shuts down all branches following ransomware attack

All BancoEstado branches will remain closed on Monday, September 7, and possibly more days.

BancoEstado

BancoEstado, one of Chile's three biggest banks, was forced to shut down all branches on Monday following a ransomware attack that took place over the weekend.

"Our branches will not be operational and will remain closed today," the bank said in a statement published on its Twitter account on Monday.

Details about the attack have not been made public, but a source close to the investigation told ZDNet that the bank's internal network was infected with the REvil (Sodinokibi) ransomware.

The incident is currently being investigated as having originated from a malicious Office document received and opened by an employee. The malicious Office file is believed to have installed a backdoor on the bank's network.

Investigators believe that on the night between Friday and Saturday, hackers used this backdoor to access the bank's network and install ransomware.

Bank employees working weekend shifts discovered the attack when they couldn't access their work files on Saturday.

BancoEstado reported the incident to Chilean police, and on the same day, the Chilean government sent out a nationwide cyber-security alert warning about a ransomware campaign targeting the private sector.

While initially, the bank hoped to recover from the attack unnoticed, the damage was extensive, according to sources, with the ransomware encrypting the vast majority of internal servers and employee workstations.

The bank initially disclosed the attack on Sunday, but as time went by, bank officials realized employees wouldn't be able to work on Monday, and decided to keep branches closed, while they recover.

Luckily, it appears the bank had done its job and properly segmented its internal network, which limited what the hackers could encrypt. The bank's website, banking portal, mobile apps, and ATMs were untouched, according to multiple statements released by the bank, in order to reassure customers that their funds were safe.

The REvil ransomware gang is one of the few groups that operate a leak site, where it leaks files from networks it breaches, in case the victim doesn't want to pay. At the time of writing, BancoEstado's name is not on the leak site, suggesting the bank has either paid the ransom demand or is still negotiating with the hackers.

This marks the second time hackers have targeted a Chilean bank. In June 2018, North Korean hackers deployed disk-wiping malware on the network of Banco de Chile, while attempting to hide a bank hack. A year later they also breached Redbanc, the company that interconnects the ATM infrastructure of all Chilean banks, during an attempt to orchestrate an ATM cash-out scheme.