Computer security researchers MalwareHunterTeam, as well as US specialist Vitali Kremez, announced yesterday that Petróleos Mexicanos (Pemex) was “attacked” successfully by a DoppelPaymer-type ransomware, which is a branch of BitPaymer ransomware.
Cybersecurity experts say that the ransom notes leaked in the so-called Deep Web, confirmed the successful “attack” and that, although the ransom note does not indicate the name of the company, a source familiar with the matter shared the full URL of the Tor payment site with the company BleepingComputer, which identifies Pemex as the victim.
Technically, Kremez commented that Pemex was probably the target of an initial infection with a Trojan called Emotet, which eventually provided access to the parastatal’s network to criminals who placed the DoppelPayer ransomware, and then would have used other viruses such as Cobalt Strike and PowerShell Empire to spread the ransomware throughout the rest of the network.
Although it is not ruled out that the “attack” has been internal for reasons still unknown.
The specialists said they had access to the payment site through the Tor platform, which is used to enter the Deep Web, where they witnessed the message to the victim (Pemex).
“We could see that the group that used the DoppelPaymer ransomware demanded 565 bitcoins, or 4.9 million dollars at today’s cryptocurrency prices. It should be noted that the DoppelPaymer payment site offers a chat feature where a victim can obtain support or negotiate with ransomware developers. This online chat is empty, indicating that Pemex did not try to use it to discuss the rescue with the attackers, who gave him 48 hours or later nothing would be negotiable. This is strange,” commented the specialists.
In a statement, Pemex said last Monday night that if they were cyberattacked on Sunday, November 10, but only five percent of their equipment was affected, and that they were operating normally and there was no effect on their fuel production, supply and inventory.
Although the reports initially indicated that Pemex was affected by the Ryuk Ransomware, the specialists reported that it was the DoppelPaymer infection, which is very risky, since its spread is immediate on the computers and servers where it is installed.
In some screenshots, the attackers, whose nationality is still unknown or from where they operate, show their messages where it is warned that the Mexican oil company has 14 days to pay, or the link where the key is located will be deleted. Ransomware decryption, and they will no longer be able to recover the files.
At the close of the edition, no response from Pemex was possible regarding the possible payment to cybercriminals.
HOW IS THE ATTACK PERFORMED?
- First they compromise a computer.
- From it, the cybercriminal makes a recognition of the network.
- Performs lateral movements, through which they move to other equipment connected to the network.
- Launch a synchronized attack infecting all the systems to which you have had access.
The companies Information Technology America, Comprehensive IT Consulting (IT America), Saynet Integral Solutions together with the subsidiaries of Televisa, Operbes and OPERBES Services are those who had to prevent and detect the cyber attack that happened last weekend, where it was confirmed that Petróleos Mexicanos (Pemex) was violated by cybercriminals, and that committed five percent of its computer equipment.
In a document issued last June, the Superior Audit of the Federation (ASF) already warned the oil company that not all of its equipment was insured against cyber attacks, and that even the companies that manage and monitor the “Secure Communication” services They had access to critical information.
“Through its tools you can intercept, extract and store sensitive information, you also have knowledge of the origin and destination of the data, as well as the sender and recipient,” the ASF told the company.
To this is added that the IT infrastructure was exposed, because since December the administration of the oil company stopped paying the companies responsible for security shielding, as mentioned yesterday in these pages.
The IT area of the oil company confirmed the above, and yesterday morning efforts continued to support the information of between nine thousand and 12 thousand teams that just turned them on activated the virus that automatically encrypted the information.
In addition, it was announced that criminals had already requested a ransom payment (without revealing the amount) in cryptocurrencies, to release part of the system that had been hijacked by a ransomware.