Over the weekend, Pemex asked a number of employees not to try and access corporate networks or IT systems in light of an unexpected shutdown, Bloomberg reports.
An unnamed spokeswoman told the publication that a Pemex notice on Twitter prompted rumors of a successful cyberattack which were false. Instead, an attempt to compromise Pemex systems was isolated and dealt with.
The statement, released by Pemex, revealed that the cyberattack was "neutralized" quickly and impacted less than five percent of its computer systems overall.
Operations, including oil production and storage, are unaffected.
An internal email seen by Reuters suggests that Pemex may have been targeted with Ryuk ransomware.
According to Check Point, Ryuk is used exclusively for tailored, targeted attacks against large organizations and enterprises. The encryption scheme used by Ryuk has been developed to hone in on critical IT resources, locking down systems and ramping up the pressure for businesses to pay high blackmail demands.
Ransom notes and subsequent demands range from 15 - 50 Bitcoin (BTC), which equates to hundreds of thousands of dollars. In return, a decryption key is promised for the restoration of access to files and systems.
In July, Ryuk operators demanded $5.3 million from New Bedford, Massachusetts, after installing the malware on the city's internal IT systems. City officials countered with an offer of $400,000 before electing to restore access through backups instead.
Responses to the Pemex notice, of which ZDNet has been unable at present to verify at the time of writing, include screenshots of what appears to be a ransomware blackmail demand.
The demand is very similar to that used by RYK, a variant of Ryuk discovered by MalwareHunterTeam. The variant encrypts files using the .RYK extension, offers two files for free decryption to back up claims that there is a working decryption key, and requires victims to email operators directly or to use the Tor network to negotiate payment.
Crowdstrike, FireEye, Kryptos Logic, and McAfee believe that this particular form of ransomware is likely the handiwork of a Russian threat group, nicknamed Grim Spider, which is financially motivated.