According to a statement made by the company, the attack affected less than 5% of its computers. Hackers indicated that Pemex had lost the deadline to get a “special discount.”
Hackers demanded almost USD 5 million in Bitcoin from the company Petróleos Mexicanos (Pemex), also saying that the company had lost the opportunity to obtain a “special discount” by not paying immediately after the attack, which ruined part of the computer systems of the company.
The cyberattack, which Pemex detected on November 10th, forced the company to disconnect computers throughout Mexico, even stopping payment systems. In this way, hackers continue to increasingly target large companies, which they attack with malicious programs that can disable the systems that monitor all their processes, from supply chains to production, eliminating the malware after receiving substantial payments.
A ransom note that appeared on Pemex computers referred to a darknet website affiliated with “DoppelPaymer.” This is a relatively new type of ransomware, which the cybersecurity firm CrowdStrike cites as responsible for the attacks against the Chilean Ministry of Agriculture and the city of Edcouch in Texas, USA.
The website required Pemex 565 BTC, almost USD 5 million at the current exchange, giving the oil company 48 hours to pay and indicating an e-mail address to make contact. After they wrote to the said e-mail address, the alleged hackers replied, saying that the company had missed the deadline for a “special price,” referring to the discounts offered to ransomware victims for making advance payments.
This attack represents a new threat to Pemex, which is struggling to pay large debts, reverse years of declining oil production and avoid reductions in its credit scores. However, the company reported that its storage and distribution facilities were working normally and that the attack had affected less than 5% of its computers.
Regarding this, a person that works in the production and exploration area of Pemex reported that this division was not affected. However, according to statements from another source, who spoke on condition of anonymity, last Tuesday Pemex was reconnecting unaffected computers to its network with software patches, in addition to cleaning infected computers.
It is also explained that initially there was confusion about the type of ransomware that was used in the attack. A Pemex official said in an e-mail that it was Ryuk, a ransomware that usually targets companies with annual revenues of between USD 500 and 1 billion, well below Pemex levels.
After the attack, Pemex had to communicate with the staff through the WhatsApp mobile messaging service, since employees could not open their e-mail accounts, according to another source that was also not authorized to speak with journalists. The person added that, due to the disconnection of all computers in finance, there could eventually be problems with payments.
Companies that are digitally taken as hostages can suffer catastrophic damage, whether or not they pay a ransom. The Norwegian aluminum producer, Norsk Hydro, was attacked in March this year by a ransomware that expanded to 160 sites, forcing parts of the company to operate on paper and pencil. The company refused to pay the ransom but explained that the attack generated up to USD 71 million in cleaning costs, of which only USD 3.6 million have been paid by insurance.
By Willmen Blanco