Cyber Incident Victim: Ministerio de Finanzas del Ecuador
Date:
Feb 2021
Location:
Ecuador
Summary
A ransomware group known as Hotarus Corp compromised Ecuador's Ministry of Finance and the nation's largest private bank, deploying PHP-based ransomware to encrypt systems including an online course platform. The attackers exfiltrated internal ministry data such as emails, employee details, and contracts, subsequently leaking thousands of login credentials. In the bank intrusion, they claimed theft of millions of customer records and sensitive financial data, including credit card information, part of which was sold while the remainder was offered for auction. The group stated financial motivation for both attacks, though independent verification of the stolen data was unavailable.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around February 26, 2021, the ransomware group Hotarus Corp executed cyberattacks against Ecuador’s Ministry of Economy and Finance (Ministerio de Economía y Finanzas de Ecuador) and Banco Pichincha, the country’s largest private bank. The attackers first compromised the Ministry’s systems, deploying a PHP-based ransomware strain identified as Ronggolawe (also known as AwesomeWare) to encrypt an online course website hosted by the agency. Following the encryption, Hotarus Corp exfiltrated data described as sensitive ministry information, including emails, employee records, and contracts. The group subsequently leaked a text file containing 6,632 login credentials—comprising usernames and hashed passwords—on a hacker forum, though the specific origin of these credentials within the Ministry’s infrastructure was not detailed. Hotarus Corp representatives claimed the attack was financially motivated and stated they were not actively selling the Ministry’s stolen data at the time of reporting.
The group then targeted Banco Pichincha, asserting they initially breached a marketing company associated with the bank and used this access to penetrate the bank’s internal systems. Hotarus Corp claimed to have exfiltrated 31,636,026 customer records and 58,456 sensitive system records, including credit card numbers, before deploying ransomware to encrypt devices within the bank’s network. The attackers reported selling approximately 37,000 credit cards to a third party and announced plans to auction or sell the remaining bank data for $250,000. Banco Pichincha publicly disputed the group’s claims regarding the scale of the breach, though technical specifics of the bank’s response were not disclosed. BleepingComputer could not independently verify the theft of data from either the Ministry or the bank. No information was provided regarding containment measures, forensic investigations, or recovery actions taken by either organization in the immediate aftermath of the attacks.