Will PEMEX pay the $5M USD to hackers for the ransomware attack?

A couple of days ago web application security specialists reported a ransomware attack on Petroleos Mexicanos (PEMEX), a state-controlled Mexican oil company. Although the company did not explicitly recognize the ransomware infection, it is mentioned that the hackers responsible for the attack would have demanded about $5 million USD in Bitcoin to restore their systems.

After various local media revealed the incident, PEMEX stated that the incident was detected on November 10; the decision was subsequently made to shut down all computers in various facilities, which interrupted some administrative activities and financial operations.

Some local media claim that threat actors gave PEMEX only 48 hours to contact them and manage the ransom payment.

However, in a statement, the company invited those interested to “avoid misinformation and rumors”, underestimating the seriousness of the incident. According to web application security specialists, PEMEX only recognized the attack against less than 5% of its computers, ensuring that the rest of its IT infrastructure, facilities and distribution activities operate as normal.

Regarding the ransomware variant used by the attackers, it was initially mentioned that PEMEX was infected with the dangerous Ryuk malware, although some images leaked by company employees show a ransom note linked to the infections of the ransomware DoppelPaymer.

Ransomware attack campaigns against public organizations have become very common in the U.S. over the past few months. A couple of months ago, the state of Louisiana declared itself in a state of emergency because dangerous encryption malware infected the IT infrastructure of most school districts in the state. The process of recovering this incident required the intervention of state & federal government, intelligence agencies and external cyber specialists.

Another recent case was reported in Texas, where the Department of Information Resources (DIR) reported that at least 23 state government organizations had suffered a serious ransomware infection; some similar cases have also been filed in Canada, although there does not appear to be much such background affecting public companies in Mexico.

So far it is unknown whether the Mexican oil company agreed to pay the ransom or whether it will reestablish its information from its backups. In any case, web application security specialists at the International Institute of Cyber Security (IICS) mention that the following months will be of great work for PEMEX, as in addition to carrying out their recovery process, they will have to conduct an in-depth analysis of their security policies and practices, as well as a digital forensic investigation to determine how the attack occurred and prevent further incidents in the future.