Pemex claims to neutralize attempted Ryuk ransomware attack

Ryuk ransomware hit computer servers and stopped administrative work at Mexican state oil company Pemex

Pemex had to disable servers due to Ryuk virusThe Mexican oil company encountered the ransomware attack that allegedly was neutralized in a day. Pemex, the oil provider company, reported that hackers attempted to infect their network and stop the critical operations that caused the entire network being disconnected from the Internet until Monday afternoon.[1] While the operations were stopped, employees tried to backup critical information from hard drives. Petróleos Mexicanos, or Pemex, apparently got infected by Ryuk ransomware that is known for target large companies.[2]

At the time when first reports appeared,[3] Pemex officials told to Routers:

We are taking measures at the national level to fight RYUK ransomware, which is affecting various Pemex servers in the country.

At the moment, operations can run normally and it is known that storage or oil production processes haven't been unaffected.

The attack that blocks the screen, encodes files and demands the payment for decryption passwords was detected at the computer center located in Mexico. According to the statement issued right after that,[4] the cyber attack attempt was neutralized and affected only 5% of the computers in the company's network.

Ryuk ransomware – threat targeting large organizations and enterprises

According to many researchers and malware experts, Grim Spider is the hacker group possibly related to the Ryuk operations that primarily hit companies and organizations. The hacker group is formed from financially motivated Russian criminals.[5] This ransomware has been responsible for many high-profile malware cases this year only. Exclusively tailored Ryuk ransomware attacks use encryption to have a reason for large blackmail demands.

Although the information about particular ransom or other details was not released, it is known that Ryuk demands at least 15 Bitcoin that is equivalent to hundreds of thousands of dollars. The ransom is demanded in return for the alleged decryption key that criminals promise to send for the victim. Previous Ryuk attacks already demanded as much as $5.3 million from the new Bedford in Massachusetts.[6]

Unexpected crash of servers stopped employees from working

According to some staff members, they received emails over the weekend with the encouragement to not access the network on Monday due to shut down. The system got shut down at noon on Sunday, according to internal email messages that employees got. On Monday afternoon, the network was operating again, and workers received notices that the system is running anti-malware programs, so the processes may run slow.

Despite the Pemex statements about normally running operations, one of the employees said to sources on Monday that servers are not operating:

The servers crashed. People aren't working.

Many unidentified people spoke to news outlets and stated different versions of the incident. A spokeswoman who asked not to be identified due to strict internal policy said that systems were operating and that a statement from Pemex on was fake. However, it is known that the attack took place on November 10 and was quickly terminated.

Unfortunately, this is not the only challenge that the company has struggled with recently since the massive debt is still not paid. This is probably the reason why spokespersons and employees report different versions of the cyber attack.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions