[BreachExchange] Pemex claims victory over cyberattack; $4.9 million ransom reportedly demanded

[Destry Winant]

https://www.scmagazine.com/home/security-news/cyberattack/pemex-claims-victory-over-cyberattack-4-9-million-ransom-reportedly-demanded/

The claim made by the Mexican state-owned petroleum corporation Pemex
that it had recovered from a Nov. 10 cyberattack was met with some
skepticism, as published reports indicate the attack may be still
affecting the company.

Pemex stated it had suffered a cyberattack that impacted about five
percent of its computer equipment, but managed to contain the problem
and is now operating normally. The company did not say what type of
attack transpired, but emails obtained by Reuters point toward Pemex
being hit with Ryuk ransomware. Cybercriminals are known to use Ryuk
to target large enterprises.

“Petróleos Mexicanos operates normally. The operation of the operation
and production systems of the company are not compromised,” according
to a translation of a company statement.

Reuters said the attackers demanded a $4.9 million ransom and that the
company had 48 hours to make a decision. The news agency also reported
that Pemex employees were told to disconnect their computers from the
internet and back up their data.

Attacks on oil companies are not unusual, said Peter Goldstein, CTO
and co-founder of Valimail. In September 2019, Valimail observed
evidence of an email-based spearphishing campaign impersonating a
subset of major Middle Eastern oil producers, he told SC Media.

“Because spearphishing is the vehicle for about 90 percent of
cyberattacks, and is the preferred vector used by the Ryuk ransomware
that hit Pemex, this strongly suggests that oil producers worldwide
are being targeted,” Goldstein said.

Thomas Hatch, CTO and co-founder of SaltStack, is not certain Pemex
officials are being completely honest and may be just trying to put
the best face on the situation. Additionally, without more information
being made public it’s difficult to determine the level of recovery,
he said.

“Typically, a small response like this is a red herring. It is a
company attempting to let people know that things are ‘under control.’
The reality here is that a breach that has hit ‘five percent of
systems’ of a major company means that the breach has gotten very deep
into the infrastructure. This statement strongly suggests that the
breach is deep,” Hatch told SC Media.

However, if Pemex has truly fought off and bounced back from the
attack, then it’s an indication that the company exercises good
cybersecurity practices, said Fausto Oliveira, principal security
architect at Acceptto.

“Recovering five percent of their environment without incurring
lateral movement of the malware is a good sign that they followed
proper containment steps,” he said.

Terence Jackson, Thycotic’s CISO, postulated that the company, wisely,
is using EDR (endpoint detection and response) tools and had in place
a layered defense to recover.

“Endpoint Detection and Response tools have replaced traditional
signature based anti-virus tools in the enterprise. These EDR tools…
allow rapid detection, isolation and even sometimes remediation when
ransomware is detected. It’s likely that Pemex is using EDR in its
environment, which would be in alignment with a rapid detection and
recovery,” he said.