BancoEstado REvil ransomware attack
REvil (Sodinokibi) ransomware encrypted roughly 14,000 workstations at BancoEstado, one of Chile's largest banks, forcing it to close all branches nationwide for a day while ATMs, online banking, and customer funds were kept unaffected by network segmentation.
- Victim
- BancoEstado
In September 2020, BancoEstado, the state-owned bank that is one of Chile's three largest financial institutions, was forced to close every branch in the country after REvil (Sodinokibi) ransomware encrypted much of its internal network.
What happened
The intrusion began on the weekend of 4-5 September 2020 when a bank employee opened a malicious Microsoft Office document, reportedly delivered through a phishing lure, which installed a backdoor. REvil affiliates used that foothold to move laterally and deploy the Sodinokibi ransomware payload across the bank's internal systems.
By the time the malware was detected, it had encrypted roughly 14,000 workstations and servers, according to Chile's government Computer Security Incident Response Team (CSIRT). On Monday 7 September, BancoEstado took the dramatic step of closing all of its branches nationwide for the day while it assessed the damage and rebuilt systems.
Containment through segmentation
Crucially, the attack was largely confined to the bank's internal corporate network. Thanks to network segmentation, the customer-facing infrastructure โ the public website, internet banking portal, mobile applications, and ATM network โ remained operational and was unaffected. Investigators confirmed that customer funds were never at risk and that no client money was lost.
Branches reopened the following day, 8 September, though some continued operating with reduced services as systems were progressively restored.
Impact
- Approximately 14,000 internal machines were encrypted.
- All BancoEstado branches in Chile closed for one day (roughly 24 hours of branch downtime).
- Customer-facing channels (ATMs, online and mobile banking) stayed online; no customer funds were lost.
- Chile's CSIRT issued a national cybersecurity alert to other banks and public bodies warning of REvil activity.
Why it matters
The BancoEstado incident became Chile's most prominent ransomware event and a regional case study in the value of network segmentation. While the operational disruption โ shuttering an entire national branch network โ was severe, the separation between corporate IT and core banking systems prevented a far worse outcome in which payments or customer balances could have been compromised. REvil/Sodinokibi was at the time one of the most aggressive ransomware-as-a-service operations in the world, and the attack pushed Chilean regulators and the financial sector to accelerate investment in segmentation, endpoint detection, and phishing resilience. It remains the canonical example cited in Chilean cybersecurity policy of how architecture, more than perimeter defense alone, determines the blast radius of a ransomware intrusion.
Timeline
An employee opens a malicious Microsoft Office document, giving REvil affiliates an initial foothold and backdoor on the bank's network.
Over the weekend the ransomware spreads, encrypting roughly 14,000 internal workstations and servers.
BancoEstado closes all of its branches nationwide for the day to contain and investigate the attack.
The bank reopens branches; ATMs, website, mobile app, and customer funds remain unaffected thanks to network segmentation.
Chile's government CSIRT confirms REvil/Sodinokibi and issues a national alert to other public and financial institutions.
Sources
- securityaffairs.comhttps://securityaffairs.com/108014/cyber-crime/bancoestado-ransomware.html
- blog.elhacker.nethttps://blog.elhacker.net/2020/09/banco-de-estado-chile-victima-de-ransomware-Revil-Sodinokibi.html
- manageengine.comhttps://www.manageengine.com/log-management/ransomware-attacks/bancoestado-shuts-down-after-ransomware-attack.html
- cybersecurity-help.czhttps://www.cybersecurity-help.cz/blog/1571.html