A couple of days ago web application security specialists reported a ransomware attack on Petroleos Mexicanos (PEMEX), a state-controlled Mexican oil company. Although the company did not explicitly recognize the ransomware infection, it is mentioned that the hackers responsible for the attack would have demanded about $5 million USD in Bitcoin to restore their systems.
After various local media revealed the
incident, PEMEX stated that the incident was detected on November 10; the
decision was subsequently made to shut down all computers in various
facilities, which interrupted some administrative activities and financial
operations.
Some local media claim that threat actors gave
PEMEX only 48 hours to contact them and manage the ransom payment.
However, in a statement, the company invited
those interested to “avoid misinformation and rumors”,
underestimating the seriousness of the incident. According to web application
security specialists, PEMEX only recognized the attack against less than 5% of
its computers, ensuring that the rest of its IT infrastructure, facilities and
distribution activities operate as normal.
Regarding the ransomware variant used by the
attackers, it was initially mentioned that PEMEX was infected with the
dangerous Ryuk malware, although some images leaked by company employees show a
ransom note linked to the infections of the ransomware DoppelPaymer.
Ransomware attack campaigns against public organizations have become very common in the U.S. over the past few months. A couple of months ago, the state of Louisiana declared itself in a state of emergency because dangerous encryption malware infected the IT infrastructure of most school districts in the state. The process of recovering this incident required the intervention of state & federal government, intelligence agencies and external cyber specialists.
Another recent case was reported in Texas,
where the Department of Information Resources (DIR) reported that at least 23
state government organizations had suffered a serious ransomware infection;
some similar cases have also been filed in Canada, although there does not
appear to be much such background affecting public companies in Mexico.
So far it is unknown whether the Mexican oil
company agreed to pay the ransom or whether it will reestablish its information
from its backups. In any case, web application security specialists at the
International Institute of Cyber Security (IICS) mention that the following
months will be of great work for PEMEX, as in addition to carrying out their
recovery process, they will have to conduct an in-depth analysis of their
security policies and practices, as well as a digital forensic investigation to
determine how the attack occurred and prevent further incidents in the future.
