Ransomware: Mexican Oil Firm Reportedly Refuses to Pay UpState-Owned Pemex Still Recovering From Attack
Pemex, Mexico's state-run oil company, is refusing to pay attackers a ransom of about $5 million in bitcoin after a ransomware attack against the firm's administrative offices, Energy Minister Rocio Nahle tells Reuters.
The ransomware attack, which occurred on Sunday, has mainly affected Pemex's administrative operations in Mexico City, according to Reuters. And while the company continued to work to bring payment and other systems back online as of Thursday, its field operations, such as oil and gas plants and wells, continued to function, says Nahle, who also is chair of the company's board.
The company has offered updates throughout the week on Twitter, noting that only about 5 percent of its systems were affected by the unnamed ransomware strain.
Pemex opera con normalidad. pic.twitter.com/IF7kf6VIEk— Petróleos Mexicanos (@Pemex) November 12, 2019
Two unnamed Pemex employees told Bloomberg that the firm's billing systems were severely affected by the ransomware attack, forcing the company to resort to manual billing to make payments to its suppliers.
The attackers demanded 565 bitcoins, or about $5 million, to restore access to systems and gave the company about 48 hours to respond, Reuters reports.
Nahle said on Wednesday that neither Pemex nor the Mexican government would pay the ransom, according to Reuters.
What Kind of Malware?
An internal message Monday indicated that the systems were infected by the Ryuk malware, Bloomberg reports, citing a person familiar with the situation.
Bloomberg also reports that the security firm Crowdstrike saw some indications that the malware may be DoppelPaymer, a form of ransomware that the firm first saw deployed in June attacks, according to Adam Meyers, the company's vice president of intelligence.
Meyers found a sample of DoppelPaymer on a malware-sharing repository that contained an embedded payment portal requesting 565 Bitcoin, which is roughly equivalent to $4.9 million, Bloomberg reports. The payment portal was addressed to Pemex, which led Meyers to make the connection between DoppelPaymer and the recent attack, according to the news service.
DoppelPaymer has been used to target Chile's Ministry of Agriculture servers in July, according to CrowdStrike researchers.
Back in June, the IT systems of water department and the finance department of Edcouch, Texas, were targeted by the same strain, with the attackers asking for a ransom of eight bitcoins, or $40,000, according to a local news report.
CrowdStrike says DoppelPaymer is likely a variant of BitPaymer, which has been used to extort ransoms of $25,000 to $1.2 million. It uses a Tor-based payment portal for victims to pay the ransom, CrowdStrike researcher note.
BitPaymer, which operates similarly to DopplePaymer, has been involved in a number of recent ransomware attacks against enterprises across Europe.
In early November, two Spanish enterprises - Radio network ACadena SER and consultancy Everis - were targeted by BitPaymer (see: 2 Ransomware Attacks Reported in Spain).
Refusal to Pay
In another recent ransomware case involving a government that refused to pay a ransom, attackers in October targeted parts of Johannesburg, South Africa's municipal infrastructure with ransomware, which also affected the municipal-run electrical utility. The threat actors asked for a ransom of about $33,600 (see: Johannesburg Struggles to Recover From Ransomware Attack).