Pemex, also known as Mexican Petroleum, is picking up the pieces after hackers deployed ransomware — which locks users out of their computers — on some of the company’s systems, with the perpetrators having asked for more than 500 bitcoin to end the cyberattack.
The oil giant, which is owned by the Mexican government and itself owns more than $400 billion USD worth of assets, first discovered the penetration of parts of its company computers on November 11th.
In an ensuing statement, Pemex noted the attack had only targeted a small portion of the company’s computers and that most of its operations were accordingly unaffected.
On the computers that were locked down, the ransomeware itself pointed Pemex employees to a website linked to the relatively new DoppelPaymer ransomware software. That site noted the hackers wanted 565 bitcoin, some $5 million at the time of the ransom, to end the attack. They gave Pemex officials a deadline of 48 hours to respond.
On November 13th, Reuters contacted the attackers by email. They noted Pemex had missed its inaugural deadline and had thus missed the chance for a discounted ransom payment. Nevertheless, they confirmed they had issued a new deadline and were still demanding several hundred bitcoin accordingly.
Pemex has remained mum on the matter but doesn’t appear poised to make any payments under duress. This week, the company reportedly began resetting and rebooting affected computers, apparently content to lose the localized data in these cases.
The Specter of Ryuk
According to Reuters, a Pemex official had initially estimated that the ransomware that had been deployed against the company was Ryuk, a software that has been involved in a spate of nefarious cyber incidents this year.
According to a report published by cryptocurrency ransomware manager Coveware earlier this year, successful ransomware payouts in Q1 2019 were up 90 percent from Q4 2018, a dynamic the firm attributed to the rising popularity of tools like Ryuk and related software like Bitpaymer and lencrypt.
Specifically, Coveware found that Ryuk had recently experienced the fastest rate of adoption among hackers.
“Ryuk [tends to be used] to target larger enterprises and shock victims with egregious ransom demands,” Coveware noted at the time.
With that said, such a usage profile may be why the aforementioned Pemex official originally thought Ryuk was involved in the company’s new cyber attack. But regardless whether it was DoppelPaymer or Ryuk was the tool, it’s clear that both types of software will see further use going forward until companies and state institutions find a way to decisively shield against them. And that’s undoubtedly easier said than done where phishing-based attacks come into play.
PayPal Might Have One Way Forward
Back in the spring, U.S. payments powerhouse PayPal was awarded a patent by the United States Patent and Trademark Office (USPTO) for a “technique for ransomware detection and mitigation.”
Simply put, the cyber defensive mechanism would be able to either prevent malicious encryption altogether or create an alternative version of the content in a computer’s hard drive that ransomware typically locks down, so that users can access this content even if a tool like Ryuk has been deployed against a hard drive.
It’s not the first proposed solution to mitigate ransomware, and it surely won’t be the last, but it is one option if the company later rolls the system out to the public. There’s been no word from PayPal about the technology since its patent was awarded.
In the mean time, there is no comprehensive ransomware solutions available on the market today, so these kinds of cyber attacks are set to increase as criminals feel emboldened by better tools for attacking big companies and organizations.