RansomEXX Ransomware Hits Ecuador’s State-Run CNT Telco


Ecuador's state-run Corporación Nacional de Telecomunicación (CNT) suffered a massive ransomware attack causing havoc in the business operations, the payment gateway, and the company's customer support portal.

The public telecommunications organization is a state-run telecommunication carrier that provides fixed-line phone service, mobile, satellite TV, and internet connectivity. Following a ransomware attack, CNT displayed an alert warning on its website about a ransomware attack they suffered and that the customer support and online payment are no longer accessible. 
"The National Telecommunications Corporation, CNT EP, filed a protest to the State Attorney General's Office regarding the ransomware attacks on company's computer systems. The initial investigation is going on and, the person behind this incident will be held responsible," read the alert notification translated into English. 

“This attack affected the care processes in our Integrated Service Centers and Contact Center; In this regard, we indicate to our users that their services will not be suspended for non-payment. We must inform our clients, massive and corporate, that their data is They are duly protected. We also inform that services such as calls, internet and television, operate normally," company further added.

CNT has not revealed any details regarding the attack timeline yet, but Bleeping computer reported that the attack was organized by a ransomware operation called RansomEXX. The gang claims to have stolen 190 GB of data and shared screenshots of some of the documents on the hidden data leak page. These pages are only accessible via these links hidden in ransom notes. 

The RansomEXX gang is responsible for numerous high-profile attacks, including Brazil's Rio Grande do Sul court system, Texas Department of Transportation (TxDOT), Konica Minolta, IPG Photonics, nuclear weapons contractor Sol Oriens, and JBS, the world's largest meat producer. 

The ransomware gang first started operating under the name Defray in 2018 but became more active in June 2020 when it changed its name to RansomEXX and began to target big organizations. Like other ransomware gangs, RansomEXX will abuse a network via purchased credentials, brute-forced RDP servers, or by utilizing exploits.

Once the attackers secure access to a network, they will silently spread throughout the network while stealing unencrypted files to be used for extortion attempts. After gaining access to an administrator password, they deploy the ransomware on the network and encrypt all of its devices.