CNT Ecuador RansomEXX attack
The RansomEXX gang hit Ecuador's state-run telecom CNT, disrupting its payment portal and call centers and claiming to have stolen more than 190 GB of corporate and customer data.
- Victim
- Corporación Nacional de Telecomunicaciones (CNT EP)
In mid-July 2021, Ecuador's state-owned telecommunications carrier Corporación Nacional de Telecomunicaciones (CNT EP) was struck by the RansomEXX ransomware gang, disrupting customer-facing systems and triggering a high-profile data-extortion threat.
What happened
On 16 July 2021, CNT filed a formal complaint with Ecuador's State Attorney General's Office, describing the event as an "attack on computer systems." While the company avoided the word "ransomware," BleepingComputer reported — based on a hidden link to the attackers' data-leak site — that the intrusion was the work of RansomEXX, a gang that had previously hit Brazil's government networks, the Texas Department of Transportation, Konica Minolta, and Tyler Technologies.
The RansomEXX leak page carried a stark warning: "Your time is LIMITED! We have downloaded 190GB+ of your files and we are ready to publish it." The attackers posted screenshots of contact lists, contracts, and support logs to substantiate the claim.
Impact
- CNT's online payment portal and call-center / customer-support operations were disrupted.
- The company stated that core services — fixed-line phone, mobile, satellite TV, and internet — continued operating normally.
- CNT assured customers that services would not be suspended for non-payment during the disruption.
- The company publicly maintained that corporate and customer data were "duly protected," a claim the leaked screenshots appeared to contradict.
About RansomEXX
RansomEXX began life as Defray in 2018 and rebranded in mid-2020, adopting the double-extortion model: encrypting victims' systems while also exfiltrating data and threatening to publish it. The group operated both Windows and Linux encryptors and specialized in large enterprise and government targets — making a national telecom like CNT a characteristic victim.
Why it matters
The CNT attack was one of a cluster of major ransomware incidents in Ecuador in 2021 — alongside the Banco Pichincha attack months later — that exposed the vulnerability of the country's critical infrastructure operators. As a state-owned carrier serving millions of subscribers, CNT's compromise raised concerns about the security of essential national communications. The episode also illustrated the now-standard tension between a victim's public reassurances ("data is protected") and the attackers' published proof of theft, a dynamic that has come to define double-extortion ransomware across Latin America.
Timeline
CNT EP files a complaint with the State Attorney General's Office for an 'attack on computer systems.'
The attack disrupts CNT's payment portal and customer-support/contact-center operations.
BleepingComputer reports the attack was carried out by the RansomEXX ransomware operation.
RansomEXX's leak site warns CNT that 190 GB+ of stolen files will be published unless the company makes contact.
CNT states that core services (calls, internet, TV) continue normally and that corporate and customer data are 'duly protected.'
Sources
- bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/ecuadors-state-run-cnt-telco-hit-by-ransomexx-ransomware/
- heimdalsecurity.comhttps://heimdalsecurity.com/blog/ransomexx-ransomware-impacts-ecuadors-corporacion-nacional-de-telecomunicaciones-cnt/
- ehackingnews.comhttps://www.ehackingnews.com/2021/07/ransomexx-ransomware-hits-ecuadors.html
- latesthackingnews.comhttps://latesthackingnews.com/2021/07/20/ecuador-telecom-giant-cnt-suffered-cyber-attack-ransomware-suspected/