Cyber Incident Victim: Banco del Estado de Chile

The ransomware attack on BancoEstado began when an employee opened a malicious Office document, which installed a backdoor on the bank’s internal network. Investigators determined that between Friday night (September 4) and Saturday morning (September 5), attackers exploited this backdoor to deploy REvil (Sodinokibi) ransomware across the bank’s systems. Weekend staff discovered the intrusion on Saturday when they could no longer access work files, prompting immediate notification to Chilean police. The Chilean government issued a nationwide cybersecurity alert the same day, warning private sector entities about an active ransomware campaign. BancoEstado initially disclosed the incident publicly on Sunday, September 6, but maintained hopes of restoring operations without further disruption. Forensic analysis revealed the ransomware had encrypted the majority of internal servers and employee workstations, causing extensive damage to core operational infrastructure.

By Monday, September 7, the bank concluded that branch operations could not resume and announced a full closure of all physical locations via a Twitter statement. Recovery efforts focused on segmented network sections that had contained the ransomware’s spread, sparing customer-facing systems including ATMs, online banking portals, mobile applications, and the public website. No customer funds or external transactional services were compromised. The incident marked Chile’s second major bank-targeted cyberattack in two years, following a 2018 disk-wiping malware attack on Banco de Chile by North Korean actors and a 2019 breach of Redbanc, the national ATM network operator. BancoEstado’s incident response prioritized public reassurance through repeated confirmations of system segmentation effectiveness and transactional service integrity while internal restoration continued.