Mexico’s Pemex oil provider says attempted hack ‘neutralized’

A suspected attack involving Ryuk impacted less than five percent of systems.
Written by Charlie Osborne, Contributing Writer

Mexico's state oil company Pemex successfully fended off an attempt by threat actors to deploy what may have been the Ryuk ransomware variant on internal systems. 

Over the weekend, Pemex asked a number of employees not to try and access corporate networks or IT systems in light of an unexpected shutdown, Bloomberg reports.

An unnamed spokeswoman told the publication that a Pemex notice on Twitter prompted rumors of a successful cyberattack which were false. Instead, an attempt to compromise Pemex systems was isolated and dealt with.

The statement, released by Pemex, revealed that the cyberattack was "neutralized" quickly and impacted less than five percent of its computer systems overall. 

Operations, including oil production and storage, are unaffected. 

See also: New Buran ransomware-as-a-service tempts criminals with discount licenses

An internal email seen by Reuters suggests that Pemex may have been targeted with Ryuk ransomware. 

According to Check Point, Ryuk is used exclusively for tailored, targeted attacks against large organizations and enterprises. The encryption scheme used by Ryuk has been developed to hone in on critical IT resources, locking down systems and ramping up the pressure for businesses to pay high blackmail demands.

Ransom notes and subsequent demands range from 15 - 50 Bitcoin (BTC), which equates to hundreds of thousands of dollars. In return, a decryption key is promised for the restoration of access to files and systems.   

In July, Ryuk operators demanded $5.3 million from New Bedford, Massachusetts, after installing the malware on the city's internal IT systems. City officials countered with an offer of $400,000 before electing to restore access through backups instead. 

Responses to the Pemex notice, of which ZDNet has been unable at present to verify at the time of writing, include screenshots of what appears to be a ransomware blackmail demand. 

TechRepublic: Why we must strike a balance with AI to solve the cybersecurity skills gap

The demand is very similar to that used by RYK, a variant of Ryuk discovered by MalwareHunterTeam. The variant encrypts files using the .RYK extension, offers two files for free decryption to back up claims that there is a working decryption key, and requires victims to email operators directly or to use the Tor network to negotiate payment. 

Check Point

Crowdstrike, FireEye, Kryptos Logic, and McAfee believe that this particular form of ransomware is likely the handiwork of a Russian threat group, nicknamed Grim Spider, which is financially motivated. 

CNET: Microsoft to employ California's digital privacy law nationwide

ZDNet has reached out to Pemex with additional queries and will update if we hear back. 

These are the worst hacks, cyberattacks, and data breaches of 2019 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards