A United States cybersecurity firm has revealed that a cyber attack took place last week against a Mexican bank, although the bank says the attack was unsuccessful and no information was extracted.
Cyble, Inc. disclosed that CIBanco’s systems had been infected by REvil ransomware. The attackers had released some of the data collected but were threatening to sell the remainder, which purportedly included sensitive information about the bank’s employees and customer accounts and passwords, if a ransom payment were not made.
After customers noted an interruption in service and complained on social media of not having access to their accounts for six days last week, CIbanco released a statement on Monday saying that “we made the decision to suspend the bank’s services and applications preventively following security protocols.” The bank said the hack was not successful.
“The bank’s security protocols worked against massive and repetitive attacks. The operating systems were not compromised.”
Cyble posted a message appearing to be from the attackers on Twitter.
“People who don’t care about their reputation, lie to their clients, and are silent about hacking and data leak. Bank users lose money from their accounts, they cannot pay bills and loans, and the management continues to lie about ‘problems in the system. If you do not contact us, we will begin to publish your data.”
One account holder told Mexico News Daily last week that he had been unable to make transfers from his account for several days. He said the bank told him that it was having systems problems due to heavy rainfall.
The bank has 3,300 employees and assets of 12.24 billion pesos (US $557 million).
A recent study by cybersecurity firm Infosecurity reports that between February and April alone, cyber attacks on financial institutions worldwide have increased by 238%, with ransomware being the most popular method used.
“Ransomware groups used to simply encrypt their victims’ data, but since November last year they have also been stealing it. They use the threat of releasing or, in the case of REvil, auctioning off the stolen data as an additional lever to extort payment,” says Brett Callow, a threat analyst at New Zealand-based software firm Emsisoft.
“And the most you can hope to receive is a pinky promise that the stolen data will be deleted, but why would criminals delete something that they can make money with?”
REvil ransomware software, also known as Sodinokibi, was first detected in 2019 and has stolen data from foreign exchange company Travelex and celebrity law firm Grubman Shire Meiselas & Sacks whose clients include Lady Gaga, Drake and Madonna.
In June, operators of the REvil ransomware launched a dark web auction site for data sets that mimics eBay, accepting bids in cybercurrency to ensure anonymity. Thus far their average extortion demand is around US $260,000, and they threaten failure to pay will result in auctioning off the data to the highest bidder.