Mexico's Pemex Oil Suffers Ransomware Attack, $4.9 Million Demanded (Nov 12, 2019)
Pemex, Mexico’s state-owned oil company, was hit with a “DoppelPaymer” ransomware attack on November 10, 2019, demanding $4.9 million USD to decrypt their files. Pemex reports that the attack affected less than 5% of their computers, and that there was no affect on their fuel production, supply, and inventory. Security researchers at BleepingComputer, MalwareHunterTeam, and Vitali Kremez were able to confirm the DoppelPaymer infection by evaluating the leaked ransom notes and malware sample. The DoppelPaymer group demanded 565 bitcoins, worth approximately $4.9 million USD at the time of this writing, to be paid by the end of November. In a statement made by Pemex, the company will not pay the ransom, and workers at Pemex reported that internal memos stated that all computers were up and running on Monday, November 11, 2019.
Recommendation: Pemex was probably targeted by an initial infection of the Emotet Trojan, which then dropped the Dridex malware. Always run antivirus and endpoint protection software to assist in preventing ransomware infection. Maintain secure backups of all your important files to avoid the need to consider payment for the decryption key, and implement a business continuity plan in the unfortunate case of ransomware infection. Emails received from unknown sources should be carefully avoided, and attachments and links should not be followed or opened. In the case of ransomware infection, the affected systems should be wiped and reformatted, even if the ransom is paid. Other machines on the same network should be scanned for other potential infections.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.