Banco Pichincha ransomware attack
A ransomware intrusion using a Cobalt Strike beacon forced Ecuador's largest private bank, Banco Pichincha, to take ATMs, online banking, and its mobile app offline for several days.
- Victim
- Banco Pichincha
On the weekend of 10 October 2021, Banco Pichincha — Ecuador's largest private bank — suffered a ransomware attack that knocked out ATMs, online banking, and its mobile application for several days, leaving millions of customers unable to access their money.
What happened
According to cybersecurity industry sources cited by BleepingComputer, attackers had deployed a Cobalt Strike beacon on the bank's network — a hallmark of ransomware operators who use the commercial penetration-testing tool to maintain persistence, move laterally, and stage encryption payloads. To contain the spread, Banco Pichincha shut down portions of its own network, which in turn took customer-facing systems offline.
The bank did not publicly confirm the ransomware nature of the attack at the time, characterizing it instead as a "cybersecurity incident." It did not disclose whether a ransom was demanded or paid.
Impact
- ATMs stopped dispensing cash and displayed error or maintenance messages.
- The online banking portal and mobile app were unavailable, with the website showing maintenance notices for days.
- Customers reported being unable to check balances, transfer funds, or complete card transactions during the outage.
- As Ecuador's largest private bank, the disruption had a systemic effect on retail payments across the country.
Context: a year of attacks
The October ransomware attack was not Banco Pichincha's first incident of 2021. In February 2021, a group calling itself Hotarus Corp claimed to have breached both Banco Pichincha and Ecuador's Ministry of Finance, stealing internal information and leaking samples. The two incidents together made Banco Pichincha one of the most visibly targeted financial institutions in Latin America that year.
Why it matters
The Banco Pichincha attack demonstrated how a single ransomware intrusion can paralyze a national payments system. Because the bank chose to isolate its network defensively, the operational impact — days of unavailable ATMs and digital banking — flowed directly from the incident response, not just the malware itself. The episode, coming two years after the Novaestrat data leak, underscored the fragility of Ecuador's financial and digital infrastructure and accelerated regulatory attention to operational resilience and incident reporting in the country's banking sector.
Timeline
An earlier incident: the group Hotarus Corp claims to have breached Banco Pichincha and Ecuador's Ministry of Finance, stealing internal data.
Over the weekend, attackers deploy a Cobalt Strike beacon on Banco Pichincha's network in what sources describe as a ransomware attack.
The bank isolates affected systems, taking ATMs, online banking, and the mobile app offline; branches show maintenance notices.
Disruption continues for multiple days; customers cannot access accounts or withdraw cash.
Banco Pichincha confirms a 'cybersecurity incident' and works to restore services progressively.
Sources
- bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/cyberattack-shuts-down-ecuadors-largest-bank-banco-pichincha/
- heimdalsecurity.comhttps://heimdalsecurity.com/blog/banco-pichincha-impacted-by-a-cyberattack/
- welivesecurity.comhttps://www.welivesecurity.com/la-es/2021/10/14/banco-pichincha-sufrio-ataque-informatico/
- eluniverso.comhttps://www.eluniverso.com/noticias/ecuador/ataque-ransomware-que-utiliza-una-baliza-cobal-strike-habria-provocado-caida-de-servicios-en-banco-pichincha-afirma-portal-de-ciberseguridad-nota/