Cyber Incident Victim: Banco Pichincha

On or around February 26, 2021, the ransomware group Hotarus Corp compromised Ecuador’s Ministry of Finance (Ministerio de Economía y Finanzas de Ecuador) and Banco Pichincha, the country’s largest private bank. The attackers first targeted the Ministry of Finance by deploying a PHP-based ransomware strain identified as Ronggolawe (or AwesomeWare) against a website hosting an online course, encrypting its contents. Following this encryption, the group released a text file containing 6,632 login credentials—usernames and hashed passwords—on a hacker forum. Hotarus Corp claimed to have exfiltrated sensitive ministry data, including emails, employee information, and contracts, though these assertions remained unverified by independent analysts. The group later shifted focus to Banco Pichincha, asserting they had exploited a breach at a marketing firm affiliated with the bank to gain access to its internal systems.

Within Banco Pichincha’s network, Hotarus Corp deployed ransomware to encrypt devices and allegedly exfiltrated 31,636,026 customer records and 58,456 sensitive system records, including credit card data. The group stated they had already sold approximately 37,000 credit cards to a third party and intended to auction or sell the remaining data for an initial asking price of $250,000. Banco Pichincha did not publicly confirm the theft or encryption, and BleepingComputer noted it could not independently verify the attackers’ claims regarding the scale of data exfiltration from either entity. Hotarus Corp explicitly stated their motive was financial gain, emphasizing they were not politically motivated. No containment actions, incident response details, or forensic findings from the bank or ministry were disclosed in the available reporting. The attacks highlighted operational disruptions at the ministry’s online course platform and raised concerns about potential financial fraud risks stemming from the alleged sale of bank customer data.