Ecuador’s state-owned National Telecommunications Corporation (CNT) has suffered a ransomware attack that has disrupted business operations, the payment portal, and customer service.
CNT is Ecuador’s state telecommunications operator that offers landline, mobile, satellite television and internet connectivity.
Starting this week, the CNT website began displaying an alert warning that they suffered an attack and that customer support and online payment are no longer accessible.
Announcement on the web about the cyber attack
“Today, July 16, 2021, the National Telecommunications Corporation, CNT EP, filed a complaint with the State Attorney General’s Office for the crime of” attack on computer systems “so that the preliminary investigation and those responsible can be carried out” , reads the alert translated into English.
“This attack affected the service processes in our Integrated Service Centers and Contact Center; in that sense, we indicate to our users that their services will not be suspended due to non-payment.”
“We must inform our clients, massive and corporate, that their data is duly protected. We also inform them that services such as calls, internet and television operate normally ”.
If you have first-hand information about this or other unreported cyberattacks, you can contact us confidentially at Signal at +1 646 961 731 or on Wire at @ lawrenceabrams-bc.
CNT suffers from RansomEXX ransomware attack
While CNT has not officially stated that they suffered a ransomware attack, Bleeping Computer learned that the attack was carried out through a ransomware operation known as RansomEXX.
Security investigator German Fernandez shared with Bleeping Computer a hidden link to the group’s data breach site warning CNT that the gang would leak data stolen during the attack if CNT did not pay a ransom.
“Your time is LIMITED!
When this time comes to an end, there are two ways: INCREASE the amount of the ransom or TO POST your files.
You will lose the opportunity to contact us after the data PUBLICATION.
If you I REALLY WANT to prevent data leakage, please contact us RIGHT NOW.
We have downloaded over 190GB of your files and we are ready to publish it. “- RansomEXX.
RansomEXX hidden data leak page for CNT
This page is currently hidden from the public and can only be accessed via the direct link. These hidden pages are commonly included in ransom notes to prove that data was stolen by a ransomware operation during an attack.
In the CNT press release, the company states that corporate and customer data is secure and has not been exposed.
However, the RansomEXX gang claims to have stolen 190GB of data and shared screenshots of some of the documents on the hidden data leak page.
The screenshots seen by Bleeping Computer include contact lists, contracts, and support records.
This ransomware operation is responsible for numerous high-profile attacks, including the Brazilian judicial system in Rio Grande do Sul, nuclear weapons contractor Sol Oriens, and JBS, the world’s largest meat producer.
The ransomware operation was originally launched under the name Defray in 2018, but became more active in June 2020 when it changed its name to RansomEXX and began targeting large corporate entities.
Like other ransomware gangs, RansomEXX will compromise a network through purchased credentials, brute-force RDP servers, or through the use of exploits.
Once they gain access to a network, they will silently spread throughout the network while stealing unencrypted files to use in extortion attempts.
After gaining access to an administrator password, they deploy the ransomware to the network and encrypt all of their devices.
As it is becoming common among ransomware operations, RansomEXX created a version of Linux to ensure that they can target all critical servers and virtual machines.
The RansomEXX gang has a history of high-profile attacks, including Brazilian government networks, the Texas Department of Transportation (TxDOT), Konica Minolta, IPG Photonics, and Tyler Technologies.
Bleeping Computer has contacted CNT with further questions, but has not received a response at this time.