In June 2020, a chilling wave of cybercrime swept through the financial sector of Chile, striking at the heart of one of its most vital institutions—BancoEstado. As the nation’s largest bank and a cornerstone of governmental financial activities, its sudden descent into chaos captured the attention of the public and the authorities alike. On a seemingly ordinary weekend, a malicious Office document opened by an unsuspecting employee unleashed a ransomware attack orchestrated by the notorious cybercriminal group REvil. By Monday morning, the bank was forced to shutter all its branches, leaving customers bewildered and services disrupted. The attack encrypted the vast majority of the bank's internal servers and workstations, crippling operations, while the bank's digital services miraculously remained intact. As investigators delved into the breach, the implications of this incident rippled through the cybersecurity landscape, raising alarms about the vulnerabilities that lurked within the systems of financial giants.

• The ransomware attack severely impacted BancoEstado’s internal operations, resulting in the encryption of the vast majority of internal servers and employee workstations.
• Employees were unable to access work files, leading to a complete shutdown of all bank branches on the following Monday.
• Customer-facing services such as the bank’s website, banking portal, mobile apps, and ATMs were unaffected due to the bank’s network segmentation.
• The disruption halted daily financial activities, impairing the organization’s ability to process transactions and respond to customer inquiries.
• The financial costs incurred from the attack include potential ransom payments (undisclosed), loss of operational revenue during branch closures, and expenses related to forensic investigations and system restoration.
• The attack prompted a nationwide cybersecurity alert, indicating a broader concern for the safety and security of the financial sector in Chile.

The BancoEstado ransomware attack occurred due to a combination of human error and system vulnerabilities. Initially, an employee opened a malicious Office document, which triggered the installation of a backdoor in the bank's internal network. This backdoor allowed the criminal cybergang REvil to gain unauthorized access, ultimately leading to the deployment of ransomware that encrypted a significant portion of the bank’s servers and workstations.

Despite the attack's severity, BancoEstado had implemented a degree of network segmentation, which helped isolate its public-facing services—such as its website and mobile apps—from the compromised internal systems. However, the initial entry point through the malicious document highlights the critical role of employee training in recognizing phishing attempts and other cyber threats.

The incident underscores the importance of robust cybersecurity measures, including regular software updates, real-time monitoring, and comprehensive employee training programs to mitigate the risks posed by social engineering tactics and to strengthen overall cyber resilience against future attacks.

Upon discovering the ransomware attack, BancoEstado immediately shut down all its branches to prevent further damage and protect sensitive information. The bank confirmed the branch closures via a statement on its Twitter account, informing customers that operations would be suspended for the day.

The malware was initially identified when employees reported an inability to access their work files, prompting an investigation into the cause. It was determined that the ransomware had infiltrated the bank's internal network through a malicious Office document opened by an employee, which installed a backdoor for the attackers.

To mitigate the impact, BancoEstado quickly isolated the affected internal servers and workstations, effectively preventing the ransomware from spreading to critical systems, including the bank’s website, banking portal, mobile apps, and ATMs. The bank promptly reported the incident to Chilean police, leading to the issuance of a nationwide cybersecurity alert to safeguard the broader private sector against similar attacks.