Ransomware, Content

Pemex Ransomware Attack: Mexico Oil, Gas Recovery Update


Petroleos Mexicano (Pemex), a Mexican state oil and gas conglomerate, has been hit with a ransomware attack that crashed its servers, encrypted files and halted some administrative work, the company said.

It’s the latest cyber foray against global commodities giants, an industrial sector likely to draw increased attention from managed security service providers (MSSPs) for the rising number of blows it’s taking from hackers. Previous high value ransom hits have hobbled Norwegian aluminum company Norsk Hydro, zinc smelter Nyrstar, shipping company Maersk, pharmaceutical firm Merck and others.

In the Pemex hijack, the cyber crew has demanded 565 bitcoins, or roughly $5 million, payable before the end of November to unlock the affected systems, according to reports. As of Thursday, November 14, Pemex officials said the cyber attack was “totally under control,” although a number of employees claimed operations were still not up and running as usual, CNBC reported.

Here are 10 things you need to know about the Pemex attack: (via Bloomberg, Reuters)

  • The attack was first detected on Sunday, November 10 by Pemex’s SOC.
  • Pemex has not acceded to the ransom demand and will not comply, Energy Minister Rocio Nahle said. It's not known if MSSPs are on the scene.
  • The offending malware at first appeared to be the notorious Ryuk strain often used by cyber crooks against high value targets.
  • But some cyber pros said the attack had the earmarks of the DoppelPaymer malware, which has also been linked to high value targets.
  • Pemex said that its oil and gas operations were not disrupted and storage was unaffected but some employees disagreed.
  • Some administrative functions were disabled, including the processing of payments.
  • In the attack’s wake Pemex told employees to disconnect from its network and back up critical information from hard drives.
  • In one Pemex office building, entire floors of computers were wiped out.
  • The attacks affected only five percent of Pemex’s computers and had been effectively “neutralized,” the company said.
  • Pemex is currently wiping infected servers and installing patches.

The hacker used the name “Joseph Atkins” in an email to Bloomberg, claiming the crime group was also behind a July, 2019 phishing attack on truck freight provider Roadrunner Transportation Systems, a Downers Grove, Illinois-based outfit. “They did not pay and recovered themselves, and left us GB’s of their data,” the person reportedly said, in what could be a thinly veiled threat to Pemex.

The attack on Pemex came as the company is wrestling to pay down $106 billion in debt, arrest 15 years of declining oil output and repair downgrades to its credit. In its recently completed Q3 financial report, the company lost $4.4 billion but pared six percent from its debt load for the first decrease in a decade.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.