Mexico's state oil company Pemex successfully fended off an attempt by threat actors to deploy what may have been the Ryuk ransomware variant on internal systems.
An unnamed spokeswoman told the publication that a Pemex notice on Twitter prompted rumors of a successful cyberattack which were false. Instead, an attempt to compromise Pemex systems was isolated and dealt with.
The statement, released by Pemex, revealed that the cyberattack was "neutralized" quickly and impacted less than five percent of its computer systems overall.
Operations, including oil production and storage, are unaffected.
An internal email seen by Reuters suggests that Pemex may have been targeted with Ryuk ransomware.
According to Check Point, Ryuk is used exclusively for tailored, targeted attacks against large organizations and enterprises. The encryption scheme used by Ryuk has been developed to hone in on critical IT resources, locking down systems and ramping up the pressure for businesses to pay high blackmail demands.
Ransom notes and subsequent demands range from 15 - 50 Bitcoin (BTC), which equates to hundreds of thousands of dollars. In return, a decryption key is promised for the restoration of access to files and systems.
In July, Ryuk operators demanded $5.3 million from New Bedford, Massachusetts, after installing the malware on the city's internal IT systems. City officials countered with an offer of $400,000 before electing to restore access through backups instead.
Responses to the Pemex notice, of which ZDNet has been unable at present to verify at the time of writing, include screenshots of what appears to be a ransomware blackmail demand.
The demand is very similar to that used by RYK, a variant of Ryuk discovered by MalwareHunterTeam. The variant encrypts files using the .RYK extension, offers two files for free decryption to back up claims that there is a working decryption key, and requires victims to email operators directly or to use the Tor network to negotiate payment.
Crowdstrike, FireEye, Kryptos Logic, and McAfee believe that this particular form of ransomware is likely the handiwork of a Russian threat group, nicknamed Grim Spider, which is financially motivated.
ZDNet has reached out to Pemex with additional queries and will update if we hear back.
Previous and related coverage
- Ransomware hits Spanish companies sparking WannaCry panic
- Ransomware: Why we're still losing the fight - and the changes you need to make, before it's too late
- What is ransomware? Everything you need to know about one of the biggest menaces on the web
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0